AWS - Services - and - Customer - Responsibility - Matrix - For - Alignment To CSF

Note:
AWS services italicized in the "AWS Services/Resources" column are out of scope for FedRAMP Moderate and/or ISO 9001/27001/27018.
AWS services in bold in the "AWS Services/Resources" column have been validated by an independent assessor to align to the CSF based on FedRAMP Moderate and/or ISO 9001/27001/27018 accreditation.
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility Customer Responsibility
Asset Management ID.AM-1: Physical devices and systems · CIS CSC 1 AWS Certifications, AWS Resource Tagging, CM-8 AWS is wholly responsible to implement a physical inventory control program. N/A - Customers do not have any responsibility in the AWS Cloud for the
(ID.AM): The data, within the organization are inventoried · COBIT 5 BAI09.01, BAI09.02 AWS Config, AWS Config Rules, AWS Cloud inventory of AWS physical devices and systems.
personnel, devices, · ISA 62443-2-1:2009 4.2.3.4 Formation, AWS CloudTrail, AWS CloudWatch Implementation:
systems, and facilities · ISA 62443-3-3:2013 SR 7.8 Logs, Customer Responsibility People - All AWS employees and contractors who procure, receive, install, Customers are only responsible for this control for the physical assets they
that enable the · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 operate, and dispose of physical devices and systems are trained on company own and operate outside of the Cloud (e.g., servers, computers, network
organization to achieve · NIST SP 800-53 Rev. 4 CM-8, PM-5 policies and procedures. They undergo a background check upon hiring (depth and equipent, mobile devices, IoT devices, peripheals, etc.).
business purposes are process varies based on country of hiring, role in AWS, and AWS region
identified and managed supporting). Employees and contractors who do not comply with established
consistent with their policies and procedures may face disciplinary actions, up to and including
relative importance to termination of employment or contract.
business objectives and
the organization’s risk Processes - AWS has established polcies and processes for the management of
strategy. physical devices and systems, which include user responsibilities for assigned
hardware (e.g., laptops); logisticians for procurement, receiving, inventory, and
destruction/disposition; datacenter operators for installation, management, and
removal; and IT operations staff for installation, management, and disposition of
other devices (e.g., printers).
Technology - AWS employes various technologies to streamline and automate

physical asset receipt, inventory, destruction, and shipment.
PM-5 N/A N/A

ID.AM-2: Software platforms and · CIS CSC 2 AWS Organizations, AWS Certifications, AWS CM-8 AWS is responsible for developing, documenting, reviewing, and updating at an AWS customers are responsible for developing, documenting, reviewing,
applications within the organization are · COBIT 5 BAI09.01, BAI09.02, BAI09.05 Resource Tagging, AWS Config, AWS Config organization-defined frequency an inventory of software components for our cloud and updating at an organization-defined frequency an inventory of
inventoried · ISA 62443-2-1:2009 4.2.3.4 Rules, AWS Cloud Formation, AWS CloudTrail, infrastructure. AWS is responsible verifying that the inventory: software components for their systems hosted in AWS. AWS customers
· ISA 62443-3-3:2013 SR 7.8 AWS CloudWatch Logs, Customer Responsibility 1) Accurately reflects the current system are responsible verifying that the inventory: 1) Accurately reflects the
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, 2) Includes all components within the authorization boundary current system, 2) Includes all components within the authorization
A.12.5.1 3) Is at the level of granularity deemed necessary for tracking and reporting boundary, 3) Is at the level of granularity deemed necessary for tracking
· NIST SP 800-53 Rev. 4 CM-8, PM-5 4) Includes the information prescribed by the configuration management policy and reporting, and 4) Includes the information prescribed by the
that is deemed necessary to achieve effective information system component configuration management policy that is deemed necessary to achieve
accountability. effective information system component accountability.
PM-5 N/A N/A

ID.AM-3: Organizational · CIS CSC 12 AWS Certifications, Customer Responsibility, AC-4 Several network fabrics exist at Amazon, each separated by boundary protection AWS customers are responsible for configuring their systems and all
communication and data flows are · COBIT 5 DSS05.02 AWS S3, AWS EC2 devices that control the flow of information between fabrics. The flow of interconnected systems to enforce their approved information flow
mapped · ISA 62443-2-1:2009 4.2.3.4 information between fabrics is established by approved authorizations, which exist policies. This can be accomplished through configuration of Amazon
· ISO/IEC 27001:2013 A.13.2.1, A.13.2.2 as ACL residing on these devices. ACLs are defined, approved by appropriate Virtual Private Cloud (Amazon VPC) network Access Control Lists
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, Amazon’s Information Security team, and managed and deployed using AWS’s (ACL) for controlling inbound/outbound traffic at the subnet level and
PL-8 ACL-management tool. Amazon VPC security groups for controlling traffic at the instance level.
Approved firewall rule sets and access control lists between network fabrics restrict
the flow of information to specific information system services. ACLs and rule sets More information on configuring Amazon VPC is available at
are reviewed and approved and are automatically pushed to boundary protection http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Securit
devices on a periodic basis (at least every 24 hours) to ensure rule sets and access y.html.
control lists are up to date.
AWS implements least privilege throughout its infrastructure components. AWS
prohibits all ports and protocols that do not have a specific business purpose. AWS
follows a rigorous approach to minimal implementation of only those features and
functions that are essential to use of the device. Network scanning is performed,
and any unnecessary ports or protocols in use are corrected.
CA-3 A. There are no system interconnections. AWS customers are responsible for documenting, authorizing, reviewing,
B. There are no system interconnections. and updating Interconnection Security Agreements (ISAs) for connections
C. There are no system interconnections. between their system and other systems that include the following
information for each connection: 1) Interface characteristics, 2) Security
requirements, and 3) The nature of the information communicated. AWS
customers are responsible for reviewing and updating ISAs with at a
frequency defined by their security assessment and authorization policy.
CA-9 Several network fabrics exist at Amazon, each separated by boundary protection AWS customers are responsible for documenting and authorizing internal
devices that control the flow of information between fabrics. The flow of system connections for organization-defined system components or
information between fabrics is established by approved authorizations, which exist classes of components. For each internal connection, the interface
as access control lists (ACL) residing on these devices. ACLs are defined, characteristics, security requirements, and the nature of the information
approved by appropriate Amazon’s Information Security team, managed and communicated should be documented in accordance with the security
deployed using AWS ACL-manage tool. assessment and authorization policy.
Approved firewall rule sets and access control lists between network fabrics restrict
the flow of information to specific information system services. Access control
lists and rule sets are reviewed and approved, and are automatically pushed to
boundary protection devices on a periodic basis (at least every 24 hours) to ensure
rule-sets and access control lists are up-to-date.
AWS implements least privilege throughout its infrastructure components. AWS

prohibits all ports and protocols that do not have a specific business purpose. AWS
follows a rigorous approach to minimal implementation of only those features and
functions that are essential to use of the device. Network scanning is performed and
any unnecessary ports or protocols in use are corrected.
PL-8 AWS gives customers ownership and control over their content by design through AWS customers are responsible for developing an information security
simple, but powerful tools that allow customers to determine where their content architecture for the information system that: 1) Describes the overall
will be stored, how it will be secured in transit or at rest, and access to their AWS philosophy, requirements, and approach to be taken with regard to
environment will managed. protecting the confidentiality, integrity, and availability of organizational
information, 2) Describes how the information security architecture is
AWS has implemented global privacy and data protection best practices in order to integrated into and supports the enterprise architecture, and 3) Describes
helping customers establish, operate and leverage our security control environment. any information security assumptions about and dependencies on external
These security protections and control processes are independently validated by services.
multiple third-party independent assessments.
AWS customers are responsible for reviewing and updating the
information security architecture at an organization-defined frequency to
reflect updates in the enterprise architecture. Planned information security
architecture changes must be reflected in the security plan, the security
Concept of Operations (CONOPS), and organizational
procurements/acquisitions.
ID.AM-4: External information systems · CIS CSC 12 AWS Certifications, Customer Responsibility AC-20 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for establishing terms and conditions with
are catalogued · COBIT 5 APO02.02, APO10.04, DSS01.02 or vendors) in accordance with the work or service to be provided (e.g., network other organizations owning, operating, and/or maintaining external
· ISO/IEC 27001:2013 A.11.2.6 services agreement, service delivery agreement, or information exchange information systems. Consistent with any trust relationships established
· NIST SP 800-53 Rev. 4 AC-20, SA-9 agreement) and implements appropriate relationship management mechanisms in with these external organizations and in accordance with their access
line with their relationship to the business. Agreements cover, at a minimum, the control policy AWS customers are responsible for authorizing individuals
following: to: 1) Access their system from an external information system and 2)
• Legal and regulatory requirements applicable to AWS Process, store, or transmit organization-controlled information using
• User awareness of information security responsibilities and issues external information systems.
• Arrangements for reporting, notification, and investigation of information
security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational Level
Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective [RTO]), in
accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright assignment of
AWS
• Conditions for renegotiation/termination of the agreement.
SA-9 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for: 1) Requiring that providers of
or vendors) in accordance with the work or service to be provided (e.g., network external information system services comply with organizational
services agreement, service delivery agreement, or information exchange information security requirements and employ organization-defined
agreement) and implements appropriate relationship management mechanisms in security controls in accordance with applicable federal laws, Executive
line with their relationship to the business. Agreements cover, at a minimum, the Orders, directives, policies, regulations, standards, and guidance, 2)
following: Defining and documenting government oversight and user roles and
• Legal and regulatory requirements applicable to AWS responsibilities with regard to external information system services, and
• User awareness of information security responsibilities and issues 3) Employing organization-defined processes, methods, and techniques to
• Arrangements for reporting, notification, and investigation of information monitor security control compliance by external service providers on an
security incidents and security breaches ongoing basis.
Agreement [OLA])
AWS
ID.AM-5: Resources (e.g., hardware, · CIS CSC 13, 14 AWS Tagging, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement AWS customers are responsible for developing a contingency plan for
devices, data, and software) are · COBIT 5 APO03.03, APO03.04, procedures to respond to a serious outage or degradation of AWS services, their system that: 1) Identifies essential missions and business functions
prioritized based on their classification, APO12.01, BAI04.02, BAI09.02 including the recovery model and its implications on the business continuity plan. and associated contingency requirements, 2) Provides recovery objectives,
criticality, and business value · ISA 62443-2-1:2009 4.2.3.6 restoration priorities, and metrics, 3) Addresses contingency roles,
· ISO/IEC 27001:2013 A.8.2.1 responsibilities, and assigned individuals with contact information, 4)
· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO Addresses maintaining essential missions and business functions despite
SC-6 27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA an information system disruption, compromise, or failure, 5) Addresses
eventual, full information system restoration without deterioration of the
security safeguards originally planned and implemented, and 6) Is
reviewed and approved by organization-defined personnel or roles in
accordance with the contingency planning policy.
AWS customers are responsible for distributing copies of the contingency

plan to organization-defined key contingency personnel (identified by
name and/or by role) and organizational elements. Contingency planning
activities must be coordinated with incident handling activities. The
contingency plan must be reviewed at a frequency defined in the
contingency planning policy and updated to address changes to their
organization, system, or environment of operation and problems
encountered during implementation, execution, or testing.
AWS customers are responsible for communicating contingency plan

changes to organization-defined personnel and for protecting the
contingency plan from unauthorized disclosure and modification.
RA-2 AWS treats all customer content and associated assets as highly confidential. AWS AWS customers are responsible for: 1) Categorizing their information and
Cloud services are content agnostic in that they offer the same high level of their information system in accordance with applicable federal laws,
security to all customers, regardless of the type of content being stored. We are Executive Orders, directives, policies, regulations, standards, and
vigilant about our customers’ security and have implemented sophisticated guidance, 2) Documenting the security categorization results (including
technical and physical measures against unauthorized access. AWS has no insight supporting rationale) in the security plan for the information system, and
as to what type of content the customer chooses to store in AWS, and the customer 3) Ensuring the security categorization decision is reviewed and approved
retains complete control of how they choose to classify their content, where it is by the AO or authorizing official designated representative.
stored, how it is used, and how it is protected from disclosure.
AWS has implemented data handling and classification requirements that provide
specifications around:
• Data encryption
• Content in transit and during storage
• Access
• Retention
• Physical controls
• Mobile devices
• Handling requirements
SA-14 N/A N/A

SC-6 AWS operates, manages, and controls the infrastructure components, from the host AWS customers are responsible for configuring their systems to protect
operating system and virtualization layer down to the physical security of the the availability of resources by allocating organization-defined resources
facilities in which the services operate. AWS endpoints are tested as part of AWS by priority, quota, or other organization-defined security safeguard.
compliance vulnerability scans.
AWS Cloud services are managed in a manner that preserves their confidentiality, More information on configuring for fault tolerance and high availability
integrity, and availability. AWS has implemented secure software development is available at http://media.amazonwebservices.com/architecture
procedures that are followed to ensure that appropriate security controls are center/AWS_ac_ra_ftha_04.pdf.
incorporated into the application design. As part of the application design process,
new applications must participate in an AWS Security review, which includes
registering the application, initiating application risk classification, participating in
architecture review and threat modeling, performing code review, and performing a
penetration test.
ID.AM-6: Cybersecurity roles and · CIS CSC 17, 19 AWS Certifications, IAM Policies, Customer CP-2 The AWS Business Continuity policy lays out the guidelines used to implement AWS customers are responsible for developing a contingency plan for
responsibilities for the entire workforce · COBIT 5 APO01.02, APO07.06, Responsibility procedures to respond to a serious outage or degradation of AWS services, their system that: 1) Identifies essential missions and business functions
and third-party stakeholders (e.g., APO13.01, DSS06.03 including the recovery model and its implications on the business continuity plan. and associated contingency requirements, 2) Provides recovery objectives,
suppliers, customers, partners) are · ISA 62443-2-1:2009 4.3.2.3.3 restoration priorities, and metrics, 3) Addresses contingency roles,
established · ISO/IEC 27001:2013 A.6.1.1 responsibilities, and assigned individuals with contact information, 4)
· NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11 Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO Addresses maintaining essential missions and business functions despite
27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA an information system disruption, compromise, or failure, 5) Addresses


PM-11 N/A N/A

PS-7 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for: 1) Establishing personnel security
or vendors) in accordance with the work or service to be provided (e.g., network requirements including security roles and responsibilities for third-party
services agreement, service delivery agreement, or information exchange providers, 2) Requiring third-party providers to comply with personnel
agreement) and implements appropriate relationship management mechanisms in security policies and procedures established by their organization, 3)
line with their relationship to the business. Agreements cover, at a minimum, the Documenting personnel security requirements, 4) Requiring third-party
following: providers to notify organization-defined personnel or roles of any
• Legal and regulatory requirements applicable to AWS personnel transfers or terminations of third-party personnel who possess
• User awareness of information security responsibilities and issues organizational credentials and/or badges or who have information system
• Arrangements for reporting, notification, and investigation of information privileges within an organization-defined time period, and 5) Monitoring
security incidents and security breaches provider compliance.
Agreement [OLA])
AWS
Business Environment ID.BE-1: The organization’s role in the · COBIT 5 APO08.01, APO08.04, AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement AWS customers are responsible for developing a contingency plan for
(ID.BE): The supply chain is identified and APO08.05, APO10.03, APO10.04, APO10.05 procedures to respond to a serious outage or degradation of AWS services, their system that: 1) Identifies essential missions and business functions
organization’s mission, communicated · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, including the recovery model and its implications on the business continuity plan. and associated contingency requirements, 2) Provides recovery objectives,
objectives, A.15.1.3, A.15.2.1, A.15.2.2 restoration priorities, and metrics, 3) Addresses contingency roles,
stakeholders, and · NIST SP 800-53 Rev. 4 CP-2, SA-12 responsibilities, and assigned individuals with contact information, 4)
activities are Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO Addresses maintaining essential missions and business functions despite
understood and 27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA an information system disruption, compromise, or failure, 5) Addresses
prioritized; this eventual, full information system restoration without deterioration of the
information is used to security safeguards originally planned and implemented, and 6) Is
inform cybersecurity reviewed and approved by organization-defined personnel or roles in
roles, responsibilities, accordance with the contingency planning policy.
and risk management
decisions. AWS customers are responsible for distributing copies of the contingency

SA-12 Key suppliers are identified and chosen for their ability to provide service to AWS customers are responsible for protecting against supply chain threats
defined requirements. Qualified suppliers are added to the approved supplier list to the information system, system component, or information system
maintained by the AWS supplier management team. Through the use of established service by employing organization-defined security safeguards as part of a
assessment procedures, AWS continuously monitors suppliers to ensure that they comprehensive, defense-in-breadth information security strategy.
are conforming to specific AWS requirements. The extent of assessment for a
supplier is dependent upon the significance of the product and/or service purchased
and, where applicable, upon previously demonstrated performance.
All purchased materials and services intended for use in production processes are
specified in purchasing documents. All component/material specification
documents are reviewed and approved by management personnel prior to use.
Additional requirements not specified on component/material specifications are
conveyed via purchase orders or contracts. Purchase orders and/or contracts convey
the degree of control AWS establishes with their suppliers to ensure quality
product and/or service.
AWS maintains standard contract review and signature processes that include legal
reviews that focus on protecting AWS resources.
ID.BE-2: The organization’s place in · COBIT 5 APO02.06, APO03.01 AWS Certifications, Customer Responsibility PM-8 N/A N/A
critical infrastructure and its industry · ISO/IEC 27001:2013 Clause 4.1
sector is identified and communicated · NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for organizational · COBIT 5 APO02.01, APO02.06, APO03.01 Customer Responsibility PM-11 N/A N/A
mission, objectives, and activities are · ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 SA-14 N/A N/A
establishedDependencies
ID.BE-4: and communicated
and critical ·· NIST SP5 800-53
COBIT Rev.BAI04.02,
APO10.01, 4 PM-11, SA-14
BAI09.02 AWS Certifications, AWS Best Practices & CP-8 The AWS business continuity plan details the three-phased approach that AWS has N/A
functions for delivery of critical services · ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, Reference Architectures, Customer Responsibility developed to recover and reconstitute the AWS infrastructure:
are established A.12.1.3 • Activation and Notification Phase
· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, • Recovery Phase
PM-8, SA-14 • Reconstitution Phase
This approach ensures that AWS performs system recovery and reconstitution
efforts in a methodical sequence, maximizing the effectiveness of the recovery and
reconstitution efforts and minimizing system outage time due to errors and
omissions.
AWS maintains a ubiquitous security control environment across all regions. Each
data center is built to physical, environmental, and security standards in an active-
active configuration, employing an n+1 redundancy model to ensure system
availability in the event of component failure. Components (N) have at least one
independent backup component (+1), so the backup component is active in the
operation even if all other components are fully functional. In order to eliminate
single points of failure, this model is applied throughout AWS, including network
and data center implementation. All data centers are online and serving traffic; no
data center is “cold.” In case of failure, there is sufficient capacity to enable traffic
to be load-balanced to the remaining sites.
PE-11 The AWS data center electrical power systems are designed to be fully redundant N/A
and maintainable without impact to operations, 24 hours a day. Power to AWS data
centers is provided through local power providers. In the event of disruption, UPS
units provide backup power or critical and essential loads in the facility and
generators are used to provide backup power for the entire facility.
Each Availability Zone is designed as an independent failure zone. Automated
processes move customer traffic away from the affected area in the case of a
failure.
PE-9 Access to power equipment, power cabling, and transmission lines are restricted to N/A
authorized personnel and are positioned to prevent intentional or accidental
damage.
PM-8 N/A N/A
SA-14 N/A N/A
ID.BE-5: Resilience requirements to · COBIT 5 BAI03.02, DSS04.02 AWS Certifications, AWS Best Practices & CP-11 N/A N/A
support delivery of critical services are · ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, Reference Architectures, Customer Responsibility CP-2 AWS region fault isolation architecture, Availability Zones (AZ) architecture AWS customers are responsible for developing a contingency plan for
established for all operating states (e.g. A.17.1.2, A.17.2.1 within regions, AWS Certifications, AWS Best Practices & Reference their system that: 1) Identifies essential missions and business functions
under duress/attack, during recovery, · NIST SP 800-53 Rev. 4 CP-2, CP-11, SA- Architectures, Customer Responsibility and associated contingency requirements, 2) Provides recovery objectives,
normal operations) 13, SA-14 restoration priorities, and metrics, 3) Addresses contingency roles,
responsibilities, and assigned individuals with contact information, 4)
Addresses maintaining essential missions and business functions despite
an information system disruption, compromise, or failure, 5) Addresses


SA-13 N/A N/A

SA-14 N/A N/A
Governance (ID.GV): ID.GV-1: Organizational information · CIS CSC 19 AWS Certifications, AWS Best Practices & AC-1 AWS has established and communicated information security framework and AWS has established and communicated information security framework
The policies, security policy is established and · COBIT 5 APO01.03, APO13.01, Reference Architectures, Customer Responsibility policies which have integrated the ISO 27001 certifiable framework based on ISO and policies which have integrated the ISO 27001 certifiable framework
procedures, and communicated EDM01.01, EDM01.02 27002 controls, American Institute of Certified Public Accountants (AICPA) Trust based on ISO 27002 controls, American Institute of Certified Public
processes to manage · ISA 62443-2-1:2009 4.3.2.6 Services Principles, PCI DSS v3.1 and National Institute of Standards and Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
and monitor the · ISO/IEC 27001:2013 A.5.1.1 Technology (NIST) Publication 800-53 (Recommended Security Controls for National Institute of Standards and Technology (NIST) Publication 800-
organization’s · NIST SP 800-53 Rev. 4 -1 controls from all Federal Information Systems). AWS manages third-party relationships in 53 (Recommended Security Controls for Federal Information Systems).
regulatory, legal, risk, security control families alignment with ISO 27001 standards. AWS Third Party requirements are reviewed AWS manages third-party relationships in alignment with ISO 27001
environmental, and by independent external standards. AWS Third Party requirements are reviewed by independent
operational auditors during audits for our PCI DSS, ISO 27001 and FedRAMP compliance. external
requirements are auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
understood and inform compliance.
the management of
cybersecurity risk. AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
AT-1 AWS has implemented formal, documented security awareness and training policy AWS has established and communicated information security framework
and procedures that address purpose, scope, roles, responsibilities, management and policies which have integrated the ISO 27001 certifiable framework
commitment, coordination among organizational entities, and compliance. The based on ISO 27002 controls, American Institute of Certified Public
security awareness and training policy and procedures are reviewed and updated at Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
least annually, or sooner if required due to information system changes. The policy National Institute of Standards and Technology (NIST) Publication 800-
is disseminated through the internal Amazon communication portal to all 53 (Recommended Security Controls for Federal Information Systems).
employees, vendors, and contractors prior to receiving authorized access to the AWS manages third-party relationships in alignment with ISO 27001
information system or performing assigned duties. standards. AWS Third Party requirements are reviewed by independent
AWS has developed, documented, and disseminated security awareness and role- external
based security training for personnel responsible for designing, developing, auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
implementing, operating, maintaining, and monitoring AWS systems. Training compliance.
includes, but is not limited to, the following information (when relevant to the
employee’s role):
• Workforce conduct standards
• Candidate background screening procedures
• Clear desk policy and procedures
• Social engineering, phishing, and malware
• Data handling and protection
• Compliance commitments
• Security precautions while traveling
• How to report security and availability failures, incidents, concerns, and other
complaints to appropriate personnel
• How to recognize suspicious communications and anomalous behavior in
organizational information systems
• Practical exercises that reinforce training objectives
• International Traffic in Arms Regulations (ITAR) responsibilities
• Contingency planning
• Incident response
AWS captures and retains training records for at least five years.
CM-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
CP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
IA-1 AWS implements formal, documented policies and procedures that provide AWS has established and communicated information security framework
guidance for operations and information security within the organization and the and policies which have integrated the ISO 27001 certifiable framework
supporting AWS environments. Policies address purpose, scope, roles, based on ISO 27002 controls, American Institute of Certified Public
responsibilities and management commitment. All policies are maintained in a Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
centralized location that is accessible by employees. National Institute of Standards and Technology (NIST) Publication 800-
53 (Recommended Security Controls for Federal Information Systems).
Policies are reviewed approved by AWS leadership at least annually or following a AWS manages third-party relationships in alignment with ISO 27001
significant change to the AWS environment. standards. AWS Third Party requirements are reviewed by independent
external
All employees, vendors, and contractors who require a user account must be on- auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
boarded through Amazon’s HR management system. As part of the onboarding compliance.
workflow, the direct manager of the employee, vendor, or contractor requests the
establishment of a user account. Group or shared accounts are not permitted within
the system boundary. The approved request serves as the approval to establish a
user account.
In the event that an active or inactive user does not comply with the above stated
policy, their account will be locked.
IR-1 AWS has implemented a formal, documented incident response policy and AWS has established and communicated information security framework
program. The policy addresses purpose, scope, roles, responsibilities, and and policies which have integrated the ISO 27001 certifiable framework
management commitment. based on ISO 27002 controls, American Institute of Certified Public
AWS uses a three-phased approach to manage incidents: Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
1. Activation and Notification Phase – Incidents for AWS begin with the detection National Institute of Standards and Technology (NIST) Publication 800-
of an event. Events originate from several sources such as: 53 (Recommended Security Controls for Federal Information Systems).
• Metrics and alarms – AWS maintains an exceptional situational awareness AWS manages third-party relationships in alignment with ISO 27001
capability; most issues are rapidly detected from 24x7x365 monitoring and standards. AWS Third Party requirements are reviewed by independent
alarming of real time metrics and service dashboards. The majority of incidents are external
detected in this manner. AWS uses early indicator alarms to proactively identify auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
issues that may ultimately impact customers. compliance.
• Trouble tickets entered by an AWS employee.
• Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call support engineer uses
AWS’s event management tool system to start an engagement and page relevant
program resolvers (e.g., AWS Security). The resolvers will perform an analysis of
the incident to determine if additional resolvers should be engaged and to
determine the approximate root cause.
2. Recovery Phase – The relevant resolvers will perform break fix to address the
incident. After addressing troubleshooting, break fix and affected components, the
call leader will assign follow-up documentation and follow-up actions and end the
call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep
root cause analysis of the incident will be assigned to the relevant team. The results
of the post mortem will be reviewed by relevant senior management and actions
and captured in a Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the
discovery of previously unknown defects and failure modes. In addition, it allows
the AWS Security and service teams to test the systems for potential customer
impact and further prepare staff to handle incidents such as detection and analysis,
containment, eradication, and recovery, and post-incident activities.
The incident response test plan is executed annually, in conjunction with the
MA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
MP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
PS-1 AWS has implemented formal, documented security awareness and training policy AWS has established and communicated information security framework
and procedures that address purpose, scope, roles, responsibilities, management and policies which have integrated the ISO 27001 certifiable framework
commitment, coordination among organizational entities, and compliance. The based on ISO 27002 controls, American Institute of Certified Public
security awareness and training policy and procedures are reviewed and updated at Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
least annually, or sooner if required due to information system changes. The policyNational Institute of Standards and Technology (NIST) Publication 800-
is disseminated through the internal Amazon communication portal to all 53 (Recommended Security Controls for Federal Information Systems).
employees, vendors, and contractors prior to receiving authorized access to the AWS manages third-party relationships in alignment with ISO 27001
information system or performing assigned duties. standards. AWS Third Party requirements are reviewed by independent
external
AWS has a formal access control policy that is reviewed and updated on an annual auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
basis (or when any major change to the system occurs that impacts the policy). The compliance.
policy addresses purpose, scope, roles, responsibilities and management
commitment. Access control procedures are systematically enforced through
proprietary tools.
Procedures exist so that Amazon employee and contractor user accounts are added,
modified, or disabled in a timely manner and are reviewed on a periodic basis. In
addition, password complexity settings for user authentication to AWS systems are
managed in compliance with Amazon’s Corporate Password Policy.
AWS has established formal policies and procedures to delineate standards for
logical access to AWS platform and infrastructure hosts. Where permitted by law,
AWS requires that all employees undergo a background investigation
commensurate with their position and level of access. The policies also identify
functional responsibilities for the administration of logical access and security.
PE-1 AWS has implemented a formal, documented physical and environmental AWS has established and communicated information security framework
protection policy that is updated and reviewed annually. and policies which have integrated the ISO 27001 certifiable framework
based on ISO 27002 controls, American Institute of Certified Public
Policies are reviewed approved by AWS leadership at least annually or following a Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
significant change to the AWS environment. National Institute of Standards and Technology (NIST) Publication 800-
AWS maintains relationships with internal and external parties to monitor legal, AWS manages third-party relationships in alignment with ISO 27001
regulatory, and contractual requirements. Should a new security directives be standards. AWS Third Party requirements are reviewed by independent
issued, AWS has documented plans in place to implement that directive with external
designated timeframes. auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
compliance.
PL-1 AWS has established formal policies and procedures to delineate standards for AWS has established and communicated information security framework
logical access to AWS platform and infrastructure hosts. Where permitted by law, and policies which have integrated the ISO 27001 certifiable framework
AWS requires that all employees undergo a background investigation based on ISO 27002 controls, American Institute of Certified Public
commensurate with their position and level of access. The policies also identify Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
functional responsibilities for the administration of logical access and security. National Institute of Standards and Technology (NIST) Publication 800-
AWS has a formal access control policy that is reviewed and updated on an annual AWS manages third-party relationships in alignment with ISO 27001
basis (or when any major change to the system occurs that impacts the policy). The standards. AWS Third Party requirements are reviewed by independent
policy addresses purpose, scope, roles, responsibilities and management external
commitment. Access control procedures are systematically enforced through auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
proprietary tools. compliance.
PM-1 AWS has established an information security management program with AWS has established and communicated information security framework
designated roles and responsibilities that are appropriately aligned within the and policies which have integrated the ISO 27001 certifiable framework
organization. AWS management reviews and evaluates the risks identified in the based on ISO 27002 controls, American Institute of Certified Public
risk management program at least annually. The risk management program Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
encompasses the following phases: National Institute of Standards and Technology (NIST) Publication 800-
• Identify – The identification phase includes listing out risks (threats and 53 (Recommended Security Controls for Federal Information Systems).
vulnerabilities) that exist in the environment. This phase provides a basis for all AWS manages third-party relationships in alignment with ISO 27001
other risk management activities. standards. AWS Third Party requirements are reviewed by independent
• Assess – The assessment phase considers the potential impact(s) of identified external
risks to the business and its likelihood of occurrence and includes an evaluation of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
internal control effectiveness. compliance.
• Mitigate – The mitigate phase includes putting controls, processes, and other
physical and virtual safeguards in place to prevent and detect identified and
assessed risks.
• Report – The report phase results in risk reports provided to managers with the
data they need to make effective business decisions and to comply with internal
policies and applicable regulations.
• Monitor – The monitor phase includes AWS Compliance performing monitoring
activities to evaluate whether processes, initiatives, functions, and/or activities are
mitigating the risk as designed.
RA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
CA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
SC-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
SI-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
SA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
ID.GV-2: Information Cybersecurity · CIS CSC 19 AWS Certifications, Customer Responsibility PM-1 AWS provides security policies and security training to employees to educate them AWS customers are responsible for developing and implementing a
security roles & responsibilities are · COBIT 5 APO01.02, APO10.03, as to their role and responsibilities concerning cybersecurity. Employees who cybersecurity program that includes roles and responsibilities of internal
coordinated and aligned with internal APO13.02, DSS05.04 violate Amazon standards or protocols are investigated and appropriate disciplinary and external stakeholders, along with methods of communications and
roles and external partners · ISA 62443-2-1:2009 4.3.2.3.3 action (e.g. warning, performance plan, suspension, and/or termination) is coordination.
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, followed. Refer to the AWS Cloud Security Whitepaper for additional details -
A.15.1.1 available at http://aws.amazon.com/security. Refer to ISO 27001 Annex A, domain
· NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2 7 for additional details. AWS has been validated and certified by an independent
auditor to confirm alignment with ISO 27001 certification standard.
PM-2 N/A N/A

PS-7 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for: 1) Establishing personnel security
or vendors) in accordance with the work or service to be provided (e.g., network requirements including security roles and responsibilities for third-party
services agreement, service delivery agreement, or information exchange providers, 2) Requiring third-party providers to comply with personnel
agreement) and implements appropriate relationship management mechanisms in security policies and procedures established by their organization, 3)
line with their relationship to the business. Agreements cover, at a minimum, the Documenting personnel security requirements, 4) Requiring third-party
following: providers to notify organization-defined personnel or roles of any
• Legal and regulatory requirements applicable to AWS personnel transfers or terminations of third-party personnel who possess
• User awareness of information security responsibilities and issues organizational credentials and/or badges or who have information system
• Arrangements for reporting, notification, and investigation of information privileges within an organization-defined time period, and 5) Monitoring
security incidents and security breaches provider compliance.
Agreement [OLA]) IAM Policies allow customers to achieve detailed, least-privilege access
• Service continuity requirements (e.g., Recovery Time Objective [RTO]), in management by allowing you to create multiple users within their AWS
accordance with AWS business priorities account, assign them security credentials, and manage their permissions.
• Protection of Intellectual Property Rights (IPR) and copyright assignment of IAM Roles allows the customer to temporarily delegate access to users or
AWS services that normally don't have access to your AWS resources by
• Conditions for renegotiation/termination of the agreement. defining a set of permissions to access the resources that a user or service
needs.
ID.GV-3: Legal and regulatory · CIS CSC 19 AWS Certifications, Customer Responsibility AC-1 AWS implements formal, documented policies and procedures that provide AWS customers are responsible for developing, documenting,
requirements regarding cybersecurity, · COBIT 5 BAI02.01, MEA03.01, MEA03.04 guidance for operations and information security within the organization and the maintaining, disseminating, and implementing an access control policy
including privacy and civil liberties · ISA 62443-2-1:2009 4.4.3.7 supporting AWS environments. Policies address purpose, scope, roles, and supporting procedures. AWS customers are responsible for reviewing
obligations, are understood and · ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, responsibilities, and management commitment. All policies are maintained in a and updating the policy and procedures at a frequency defined by their
managed A.18.1.3, A.18.1.4, A.18.1.5 centralized location that is accessible by employees. organization.
· NIST SP 800-53 Rev. 4 -1 controls from all
security control families
AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing an audit and accountability
1) Identifies and evaluates applicable laws and regulations for each of the policy along with supporting procedures. AWS customers are responsible
jurisdictions in which AWS operates. for reviewing and updating the policy and procedures at a frequency
2) Documents and implements controls to ensure conformity with all statutory, defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information More information on implementing logging with an AWS account is
security policies to protect from loss, destruction, falsification, unauthorized available at https://aws.amazon.com/whitepapers/security-at-scale-
access, and unauthorized release. logging-in-aws/ and http://aws.amazon.com/cloudtrail/
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
AT-1 AWS has implemented formal, documented security awareness and training policy AWS customers are responsible for developing, documenting,
and procedures that address purpose, scope, roles, responsibilities, management maintaining, disseminating, and implementing a security awareness and
commitment, coordination among organizational entities, and compliance. The training policy along with supporting procedures. AWS customers are
security awareness and training policy and procedures are reviewed and updated at responsible for reviewing and updating the policy and procedures at a
least annually, or sooner if required due to information system changes. The policy frequency defined by their organization.
is disseminated through the internal Amazon communication portal to all
employees, vendors, and contractors prior to receiving authorized access to the
information system or performing assigned duties.
AWS has developed, documented, and disseminated security awareness and role-
based security training for personnel responsible for designing, developing,
implementing, operating, maintaining, and monitoring AWS systems. Training
includes, but is not limited to, the following information (when relevant to the
employee’s role):
• Workforce conduct standards
• Candidate background screening procedures
CM-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a configuration
1) Identifies and evaluates applicable laws and regulations for each of the management policy along with supporting procedures. AWS customers
jurisdictions in which AWS operates. are responsible for reviewing and updating the policy and procedures at a
2) Documents and implements controls to ensure conformity with all statutory, frequency defined by their organization.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
CP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a contingency planning
1) Identifies and evaluates applicable laws and regulations for each of the policy along with supporting procedures. AWS customers are responsible
jurisdictions in which AWS operates. for reviewing and updating the policy and procedures at a frequency
2) Documents and implements controls to ensure conformity with all statutory, defined by their organization.
IA-1 AWS implements formal, documented policies and procedures that provide AWS customers are responsible for developing, documenting,
guidance for operations and information security within the organization and the maintaining, disseminating, and implementing an identification and
supporting AWS environments. Policies address purpose, scope, roles, authentication policy along with supporting procedures. AWS customers
responsibilities and management commitment. All policies are maintained in a are responsible for reviewing and updating the policy and procedures at a
centralized location that is accessible by employees. frequency defined by their organization.
Policies are reviewed approved by AWS leadership at least annually or following a

significant change to the AWS environment.
All employees, vendors, and contractors who require a user account must be on-
boarded through Amazon’s HR management system. As part of the onboarding
workflow, the direct manager of the employee, vendor, or contractor requests the
establishment of a user account. Group or shared accounts are not permitted within
the system boundary. The approved request serves as the approval to establish a
user account.
In the event that an active or inactive user does not comply with the above stated
policy, their account will be locked.
IR-1 AWS has implemented a formal, documented incident response policy and AWS customers are responsible for developing, documenting,
program. The policy addresses purpose, scope, roles, responsibilities, and maintaining, disseminating, and implementing an incident response policy
management commitment. along with supporting procedures. AWS customers are responsible for
AWS uses a three-phased approach to manage incidents: reviewing and updating the policy and procedures at a frequency defined
1. Activation and Notification Phase – Incidents for AWS begin with the detection by their organization.
of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational awareness
capability; most issues are rapidly detected from 24x7x365 monitoring and
alarming of real time metrics and service dashboards. The majority of incidents are
detected in this manner. AWS uses early indicator alarms to proactively identify
issues that may ultimately impact customers.
the incident to determine if additional resolvers should be engaged and to
incident. After addressing troubleshooting, break fix and affected components, the
call engagement.
after the relevant fix activities have been addressed. The post mortem and deep
root cause analysis of the incident will be assigned to the relevant team. The results
of the post mortem will be reviewed by relevant senior management and actions
and captured in a Correction of Errors (COE) document and tracked to completion.
discovery of previously unknown defects and failure modes. In addition, it allows
the AWS Security and service teams to test the systems for potential customer
impact and further prepare staff to handle incidents such as detection and analysis,
MA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing an maintenance policy
1) Identifies and evaluates applicable laws and regulations for each of the along with supporting procedures. AWS customers are responsible for
jurisdictions in which AWS operates. reviewing and updating the policy and procedures at a frequency defined
2) Documents and implements controls to ensure conformity with all statutory, by their organization.
MP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual N/A
agreements and obligations through the following activities:
1) Identifies and evaluates applicable laws and regulations for each of the
jurisdictions in which AWS operates.
2) Documents and implements controls to ensure conformity with all statutory,
PS-1 AWS has implemented formal, documented security awareness and training policy AWS customers are responsible for developing, documenting,
and procedures that address purpose, scope, roles, responsibilities, management maintaining, disseminating, and implementing a personnel security policy
commitment, coordination among organizational entities, and compliance. The along with supporting procedures. AWS customers are responsible for
security awareness and training policy and procedures are reviewed and updated at reviewing and updating the policy and procedures at a frequency defined
least annually, or sooner if required due to information system changes. The policy by their organization.
is disseminated through the internal Amazon communication portal to all
employees, vendors, and contractors prior to receiving authorized access to the
information system or performing assigned duties.
AWS has a formal access control policy that is reviewed and updated on an annual
basis (or when any major change to the system occurs that impacts the policy). The
proprietary tools.
AWS has established formal policies and procedures to delineate standards for
logical access to AWS platform and infrastructure hosts. Where permitted by law,
AWS requires that all employees undergo a background investigation
commensurate with their position and level of access. The policies also identify
functional responsibilities for the administration of logical access and security.
PE-1 AWS has implemented a formal, documented physical and environmental N/A
protection policy that is updated and reviewed annually.
Policies are reviewed approved by AWS leadership at least annually or following a

significant change to the AWS environment.
PL-1 AWS has established formal policies and procedures to delineate standards for AWS customers are responsible for developing, documenting,
logical access to AWS platform and infrastructure hosts. Where permitted by law, maintaining, disseminating, and implementing a security planning policy
AWS requires that all employees undergo a background investigation along with supporting procedures. AWS customers are responsible for
commensurate with their position and level of access. The policies also identify reviewing and updating the policy and procedures at a frequency defined
functional responsibilities for the administration of logical access and security. by the organization.
AWS has a formal access control policy that is reviewed and updated on an annual
basis (or when any major change to the system occurs that impacts the policy). The
proprietary tools.
PM-1 AWS has established an information security management program with N/A
designated roles and responsibilities that are appropriately aligned within the
organization. AWS management reviews and evaluates the risks identified in the
risk management program at least annually. The risk management program
encompasses the following phases:
• Identify – The identification phase includes listing out risks (threats and
vulnerabilities) that exist in the environment. This phase provides a basis for all
other risk management activities.
• Assess – The assessment phase considers the potential impact(s) of identified
risks to the business and its likelihood of occurrence and includes an evaluation of
internal control effectiveness.
• Mitigate – The mitigate phase includes putting controls, processes, and other
physical and virtual safeguards in place to prevent and detect identified and
assessed risks.
• Report – The report phase results in risk reports provided to managers with the
data they need to make effective business decisions and to comply with internal
policies and applicable regulations.
• Monitor – The monitor phase includes AWS Compliance performing monitoring
activities to evaluate whether processes, initiatives, functions, and/or activities are
mitigating the risk as designed.
RA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a risk assessment policy
1) Identifies and evaluates applicable laws and regulations for each of the along with supporting procedures. AWS customers are responsible for
jurisdictions in which AWS operates. reviewing and updating the policy and procedures at a frequency defined
2) Documents and implements controls to ensure conformity with all statutory, by their organization.
CA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a security assessment and
1) Identifies and evaluates applicable laws and regulations for each of the authorization policy along with supporting procedures. AWS customers
jurisdictions in which AWS operates. are responsible for reviewing and updating the policy and procedures at a
SC-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and
1) Identifies and evaluates applicable laws and regulations for each of the communications protection policy along with supporting procedures.
jurisdictions in which AWS operates. AWS customers are responsible for reviewing and updating the policy and
2) Documents and implements controls to ensure conformity with all statutory, procedures at a frequency defined by their organization.
SI-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and information
1) Identifies and evaluates applicable laws and regulations for each of the integrity policy along with supporting procedures. AWS customers are
jurisdictions in which AWS operates. responsible for reviewing and updating the policy and procedures at a
SA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and services
1) Identifies and evaluates applicable laws and regulations for each of the acquisition policy along with supporting procedures. AWS customers are
jurisdictions in which AWS operates. responsible for reviewing and updating the policy and procedures at a
ID.GV-4: Governance and risk · COBIT 5 EDM03.02, APO12.02, AWS Certifications, Customer Responsibility PM-10 AWS management leads an information security program that identifies and N/A
management processes address APO12.05, DSS04.02 establishes security goals that are relevant to business requirements. Annual
cybersecurity risks · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, evaluations are performed to allocate the resources necessary for performing
4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3 information security activities within AWS to meet or exceed customer and service
· ISO/IEC 27001:2013 Clause 6 specifications. AWS leadership review input includes:
· NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, • Results of audits and reviews.
PM-9, PM-10, PM-11 • Feedback from interested parties.
• Techniques, products, or procedures that could be used in the organization to
improve security, quality, system performance, and effectiveness.
• Status of preventative and corrective actions.
• Vulnerabilities or threats not adequately addressed in the previous risk
assessment.
• Results from effectiveness measurements.
• Follow-up actions from previous leadership reviews.
• Any changes that could affect the ISMS.
• Recommendations for improvement.
• Customer feedback.
PM-11 N/A N/A

PM-3 N/A N/A
PM-7 N/A N/A
PM-9 N/A N/A
SA-2 The output of AWS leadership reviews include any decisions or actions related to AWS customers are responsible for: 1) Determining information security
the following: requirements for the information system or information system service in
• Improvement of the effectiveness of the ISMS. mission/business process planning, 2) Determining, documenting, and
• Update of the risk assessment and risk treatment plan. allocating the resources required to protect the information system or
• Modification of procedures and controls that affect information security, as information system service as part of its capital planning and investment
necessary, to respond to internal or external events that may impact the ISMS. This control process, and 3) Establishing a discrete line item for information
includes changes to business requirements, security requirements, business security in organizational programming and budgeting documentation.
processes affecting the existing business requirements, regulatory or legal
requirements, contractual obligations, levels of risk, and/or criteria for accepting
risk.
• Resource needs.
• Improvement in how the effectiveness of controls is being measured.
Risk Assessment ID.RA-1: Asset vulnerabilities are · CIS CSC 4 AWS Certifications, Customer Responsibility CA-2 The AWS Compliance Assessment Team (CAT) maintains a documented audit AWS customers are responsible for conducting security assessments for
(ID.RA): The identified and documented · COBIT 5 APO12.01, APO12.02, schedule of internal and external assessments to ensure implementation and their systems. Within this context and in accordance with their security
organization APO12.03, APO12.04, DSS05.01, DSS05.02 operating effectiveness of the AWS control environment to meet business, assessment and authorization policy, AWS customers are responsible for:
understands the · ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, regulatory, and contractual objectives. 1) Developing a security assessment plan that describes the security
cybersecurity risk to 4.2.3.12 The needs and expectations of internal and external parties are considered controls and control enhancements under assessment, assessment
organizational · ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 throughout the development, implementation, and auditing of the AWS control procedures used to determine effectiveness, the assessment environment,
operations (including · NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, environment. Parties include, but are not limited to: the assessment team, and the assessment roles and responsibilities, 2)
mission, functions, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5  AWS customers, including customers with a contractual interest and potential Assessing security controls in their system and its environment of
image, or reputation), customers. operation at an organization-defined frequency to determine the extent to
organizational assets,  External parties to AWS, including regulatory bodies such as the external which the controls are implemented correctly, operating as intended, and
and individuals. auditors and certifying agents. producing the desired outcome with respect to meeting established
 Internal parties such as AWS services and infrastructure teams, security, legal, security requirements, 3) Producing a security assessment report that
and overarching administrative and corporate teams. documents the results of the assessment, and 4) Providing the results of
the security control assessment to their organization-defined individuals
or roles.
CA-7 AWS conducts monthly monitoring of its security posture through a continuous AWS customers are responsible for developing a continuous monitoring
risk assessment and monitoring process. Additionally, annual security assessments strategy and implementing a continuous monitoring program in
are conducted by an accredited Third-Party Assessment Organization (3PAO) to accordance with their security assessment and authorization policy that
validate that implemented security controls continue to be effective. Security defines: 1) Metrics to be monitored, 2) Frequencies for monitoring and
assessments that include a risk analysis and a Plan of Action and Milestones reporting, and 3) Personnel or roles responsible for conducting and
(POA&M) are submitted to authorizing officials for review and approval. receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1)
Establishing and configuring monitoring for defined metrics, 2)
Monitoring and conducting assessments as organization-defined
frequencies, 3) Conducting ongoing security control assessments, 4)
Conducting ongoing security status monitoring of their organization-
defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response
actions to address the results of the analysis of security-related
information, and 6) Reporting the security status of their organization and
the information system to the organization-defined personnel or roles at
the organization-defined frequency.
CA-8 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for conducting penetration testing on
conducting security-related activities within the system boundary. Activities organization-defined systems or system components at a frequency
include vulnerability scanning, contingency testing, and incident response prescribed by their security assessment and authorization policy.
exercises. AWS performs external vulnerability assessments at least quarterly, and
identified issues are investigated and tracked to resolution. Additionally, AWS
performs unannounced penetration tests by engaging independent third parties to
probe the defenses and device configuration settings within the system.
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and
proactively monitor vendors’ websites and other relevant outlets for new patches.
AWS customers also have the ability to report issues to AWS via the AWS
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability-
reporting/.
RA-3 AWS performs a continuous risk assessment process to identify, evaluate and AWS customers are responsible for: 1) Conducting an assessment of risk
mitigate risks across the company. The process involves developing and to include the likelihood and magnitude of harm from the unauthorized
implementing risk treatment plans to mitigate risks as necessary. The AWS risk access, use, disclosure, disruption, modification, or destruction of their
management team monitors and escalates risks on a continuous basis, performing information system and the information it processes, stores, or transmits,
risk assessments on newly implemented controls at least every six months. 2) Documenting risk assessment results in the system plan, security
assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4)
Disseminating risk assessment results to organization-defined personnel
or roles, and 5) Updating the risk assessment at an organization-defined
frequency or whenever there are significant changes to the information
system or environment of operation (including the identification of new
threats and vulnerabilities) or other conditions that may impact the
security state of the system.
RA-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Scanning for vulnerabilities in
conducting security-related activities within the system boundary. Activities their information system and hosted applications at an organization-
include vulnerability scanning, contingency testing, and incident response defined frequency and/or randomly in accordance with their organization-
exercises. AWS performs external vulnerability assessments at least quarterly, and defined process and when new vulnerabilities potentially affecting the
identified issues are investigated and tracked to resolution. Additionally, AWS system/applications are identified and reported; 2) Employing
performs unannounced penetration tests by engaging independent third parties to vulnerability scanning tools and techniques that promote interoperability
probe the defenses and device configuration settings within the system. among tools and automated parts of the vulnerability management process
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and by using standards for: a) Enumerating platforms, software flaws, and
proactively monitor vendors’ websites and other relevant outlets for new patches. improper configurations, b) Formatting and making transparent checklists
AWS customers also have the ability to report issues to AWS via the AWS and test procedures, and c) Measuring vulnerability impact; 3) Analyzing
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability- vulnerability scan reports and results from security control assessments;
reporting/. 4) Remediating legitimate vulnerabilities within organization-defined
response times in accordance with an organizational assessment of risk;
and 5) Sharing information obtained from the vulnerability scanning
process and security control assessments with organization-defined
personnel or roles to help eliminate similar vulnerabilities in other
information systems (i.e., systemic weaknesses or deficiencies).
Prior to conducting penetration testing or vulnerability scanning activities,

AWS customers are required to request authorization through the
following URL:
https://aws.amazon.com/security/penetration-testing/.
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle):

RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle):
AWS Customers are responsible for meeting scanning requirements on
their databases in accordance with organization-defined frequency and/or
when new vulnerabilities have been identified. Also, AWS Customers are
required to remediate legitimate findings within the organization-defined
timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL

database service. AWS Customers offload database management tasks
such as hardware or software provisioning, setup and configuration,
SA-11 AWS applies a systematic approach to managing change to ensure that all changes AWS customers are responsible for requiring the developer of their
to a production environment are reviewed, tested, and approved. Facilities, information system, system component, or information system service to:
equipment, and software components of production operations are identified 1) Create and implement a security assessment plan, 2) Perform unit,
throughout their lifecycle to ensure that only acceptable components are used in integration, system, and/or regression testing/evaluation at organization-
production. defined depth and coverage, 3) Produce evidence of the execution of the
security assessment plan and the results of the security testing/evaluation,
The development, test and production environments emulate the production system 4) Implement a verifiable flaw remediation process, and 5) Correct flaws
environment and are used to properly assess and prepare for the impact of a change identified during security testing/evaluation.
to the production system environment. In order to reduce the risks of unauthorized
access or change to the production environment, the development, test and
production environments are logically separated. In order to apply changes to the
AWS production environments, AWS service teams must first run a full set of tests
in the test environment, and the testing methodology must be documented.
The AWS service, including application programming interfaces (APIs), are

labeled and marked by identifiers. Facilities, equipment, and software components
are tracked such that quality-impacting issues and errors are traceable to related
components.
SA-5 AWS documents, tracks and monitors its legal, regulatory and contractual AWS customers are responsible for: 1) Obtaining administrator
agreements and obligations. In order to do so, AWS performs and maintains the documentation for their systems, system components, or information
following activities: system services that describes: a) Secure configuration, installation, and
operation of the system, component, or service, b) Effective use and
1) Identifies and evaluates applicable laws and regulations for each of the maintenance of security functions/mechanisms, and c) Known
jurisdictions in which AWS operates vulnerabilities regarding configuration and use of administrative (i.e.,
2) Documents and implements controls to ensure conformity with all statutory, privileged) functions; 2) Obtaining user documentation for their systems,
regulatory and contractual requirements relevant to AWS system components, or information system services that describes: a)
3) Categorizes the sensitivity of information according to the AWS information User-accessible security functions/mechanisms and how to effectively use
security policies to protect from loss, destruction, falsification, unauthorized access those security functions/mechanisms, b) Methods for user interaction that
and unauthorized release enables individuals to use the system, component, or service in a more
4) Informs and continually trains personnel that must be made aware of secure manner, and c) User responsibilities in maintaining the security of
information security policies to protect sensitive AWS information the system, component, or service; 3) Documenting attempts to obtain
5) Monitors for nonconformities to the information security policies with a process information system, system component, or information system service
in place to take corrective actions and enforce appropriate disciplinary action documentation for their systems when such documentation is either
unavailable or nonexistent and taking organization-defined actions in
AWS maintains relationships with internal and external parties to monitor legal, response; 4) Protecting documentation as required and in accordance with
regulatory, and contractual requirements. Should a new security directives be their system and services acquisition policy; and 5) Distributing
issued, AWS has documented plans in place to implement that directive with documentation to organization-defined personnel or roles.
AWS provides Customers with evidence of its compliance with applicable legal,
certifications and other compliance enablers. Visit
aws.amazon.com/compliance/resources for additional information.
SI-2 AWS Security performs regular vulnerability scans on the host operating system, AWS customers are responsible for: 1) Identifying, reporting, and
web application, and databases in the AWS environment using a variety of tools. correcting information system flaws, 2) Testing software and firmware
External vulnerability assessments are conducted by an AWS approved third party updates related to flaw remediation for effectiveness and potential side
vendor at least annually, and identified issues are investigated and tracked to effects before installation, 3) Installing security-relevant software and
resolution. Vulnerabilities that are identified are monitored and evaluated and firmware updates within an organization-defined time period of the
countermeasures are designed, implemented, and operated to compensate for release of the updates, and 4) Incorporating flaw remediation into the
known and newly identified vulnerabilities. organizational configuration management process.
RDS Specific (MySQL, MariaDB, SQL Server and Postgres): AWS

Customers are responsible for identifying, reporting, and patching their
database engines. The RDS service notifies AWS customers through
AWS announcements and email announcements whenever a new version
is available. The customer will be able to go through the management
console or CLI to update their particular RDS engine (Update options:
Update Now or Update in the next maintenance window). The AWS
Customer is responsible performing tests on updated RDS engine versions
before deploying to their environment to mitigate any potential
performance issues.
RDS Specific (Oracle): AWS Customers are responsible for identifying,

reporting, and patching their database engines. The RDS service notifies
AWS customers through AWS announcements and email announcements
whenever a new RDS engine version is available. Please note, RDS
Oracle engines and patches has a vendor dependency. RDS Oracle updates
relies on the vendor to merge AWS customized patches with Oracle
releases to ensure all functionality is kept. Once a merged patch is created
and validated, AWS will make the engine version available for customers.
The customer will be able to go through the management console or CLI
to update their particular RDS engine (Update options: Update Now or
Update in the next maintenance window). The AWS Customer is
responsible for performing tests on updated RDS (Oracle) engine versions
before deploying to their environment to mitigate any potential
performance issues.
SI-4 AWS deploys monitoring devices throughout the environment to collect critical AWS customers are responsible for: 1) Monitoring their information
information on unauthorized intrusion attempts, usage abuse, and network and system to detect: a) Attacks and indicators of potential attacks in
application bandwidth usage. Monitoring devices are placed within the AWS accordance with organization-defined monitoring objectives and b)
environment to detect and monitor for: Unauthorized local, network, and remote connections; 2) Identifying
• Port scanning attacks unauthorized use of the information system through organization-defined
• Usage (CPU, Processes, disk utilization, swap rates, and errors in software techniques and methods; 3) Deploying monitoring devices: a)
generated loss) Strategically within the information system to collect organization-
• Application performance metrics determined essential information and b) At ad hoc locations within the
• Unauthorized connection attempts system to track specific types of transactions of interest to their
AWS provides near real-time alerts when the AWS monitoring tools show organization; 4) Protecting information obtained from intrusion-
indications of compromise or potential compromise, based upon threshold alarming monitoring tools from unauthorized access, modification, and deletion; 5)
mechanisms determined by AWS service and Security teams. Heightening the level of information system monitoring activity whenever
External access to data stored in Amazon S3 is logged. The logs are retained for at there is an indication of increased risk to organizational operations and
least 90 days and include relevant access request information such as the data assets, individuals, other organizations, or the Nation based on law
accessor IP address, object, and operation. enforcement information, intelligence information, or other credible
All requests to KMS are logged and available in the AWS account’s AWS sources of information; 6) Obtaining legal opinion with regard to
CloudTrail bucket in Amazon S3. The logged requests provide information about information system monitoring activities in accordance with applicable
who made the request and under which CMK and will also describe information federal laws, Executive Orders, directives, policies, or regulations; and 7)
about the AWS resource that was protected through the use of the CMK. These log Providing organization-defined information system monitoring
events are visible to the customer after turning on AWS CloudTrail in their information to organization-defined personnel or roles as needed or in
account. accordance with an organization-defined frequency.
SI-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Receiving information system
conducting security-related activities within the system boundary. Activities security alerts, advisories, and directives from organization-defined
include vulnerability scanning, contingency testing, and incident response external organizations on an ongoing basis, 2) Generating internal security
exercises. AWS performs external vulnerability assessments at least quarterly, and alerts, advisories, and directives as deemed necessary, 3) Disseminating
identified issues are investigated and tracked to resolution. Additionally, AWS security alerts, advisories, and directives to organization-defined
performs unannounced penetration tests by engaging independent third parties to personnel, roles, organizational elements and/or external organizations,
probe the defenses and device configuration settings within the system. and 4) Implementing security directives in accordance with established
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and time frames or notifying the issuing organization of the degree of
proactively monitor vendors’ websites and other relevant outlets for new patches. noncompliance.
reporting/.
ID.RA-2: Threat and vulnerability · CIS CSC 4 AWS Certifications, Customer Responsibility PM-15 AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and N/A
information is received from · COBIT 5 BAI08.01 proactively monitor vendors’ websites and other relevant outlets for new patches.
information sharing forums and sources · ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.6.1.4 PM-16 N/A N/A
· NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-
16
reporting/.
ID.RA-3: Threats, both internal and · CIS CSC 4 AWS Certifications, Customer Responsibility, AWS PM-12 N/A N/A
external, are identified and documented · COBIT 5 APO12.01, APO12.02, Trusted Advisor PM-16 N/A N/A
APO12.03, APO12.04 RA-3 AWS performs a continuous risk assessment process to identify, evaluate and AWS customers are responsible for: 1) Conducting an assessment of risk
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 mitigate risks across the company. The process involves developing and to include the likelihood and magnitude of harm from the unauthorized
· ISO/IEC 27001:2013 Clause 6.1.2 implementing risk treatment plans to mitigate risks as necessary. The AWS risk access, use, disclosure, disruption, modification, or destruction of their
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, management team monitors and escalates risks on a continuous basis, performing information system and the information it processes, stores, or transmits,
PM-16 risk assessments on newly implemented controls at least every six months. 2) Documenting risk assessment results in the system plan, security
ID.RA-3: Threats, both internal and · CIS CSC 4 AWS Certifications, Customer Responsibility, AWS
external, are identified and documented · COBIT 5 APO12.01, APO12.02, Trusted Advisor
APO12.03, APO12.04
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12,
PM-16
reporting/.
ID.RA-4: Potential business impacts · CIS CSC 4 AWS Certifications, Customer Responsibility PM-11 N/A N/A
and likelihoods are identified · COBIT 5 DSS04.02 PM-9 N/A N/A
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 RA-2 AWS treats all customer content and associated assets as highly confidential. AWS AWS customers are responsible for: 1) Categorizing their information and
· ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2 Cloud services are content agnostic in that they offer the same high level of their information system in accordance with applicable federal laws,
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA- security to all customers, regardless of the type of content being stored. We are Executive Orders, directives, policies, regulations, standards, and
14, PM-9, PM-11 vigilant about our customers’ security and have implemented sophisticated guidance, 2) Documenting the security categorization results (including
• Data encryption
• Access
• Retention
• Mobile devices
SA-14 N/A N/A

ID.RA-5: Threats, vulnerabilities, · CIS CSC 4 AWS Certifications, Customer Responsibility PM-16 N/A N/A
likelihoods, and impacts are used to · COBIT 5 APO12.02 RA-2 AWS treats all customer content and associated assets as highly confidential. AWS AWS customers are responsible for: 1) Categorizing their information and
determine risk · ISO/IEC 27001:2013 A.12.6.1 Cloud services are content agnostic in that they offer the same high level of their information system in accordance with applicable federal laws,
· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM- security to all customers, regardless of the type of content being stored. We are Executive Orders, directives, policies, regulations, standards, and
16 vigilant about our customers’ security and have implemented sophisticated guidance, 2) Documenting the security categorization results (including
• Data encryption
• Access
• Retention
• Mobile devices
ID.RA-6: Risk responses are identified · CIS CSC 4 AWS Certifications, Customer Responsibility PM-4 N/A N/A
and prioritized · COBIT 5 APO12.05, APO13.02 PM-9 N/A N/A
Risk Management ID.RM-1: Risk management processes ·· ISO/IEC
CIS CSC 27001:2013
4 Clause 6.1.3 AWS Certifications, Customer Responsibility PM-9 N/A N/A
Strategy (ID.RM): are established, managed, and agreed to · COBIT 5 APO12.04, APO12.05,
The organization’s by organizational stakeholders APO13.02, BAI02.03, BAI04.02
priorities, constraints, · ISA 62443-2-1:2009 4.3.4.2
risk tolerances, and · ISO/IEC 27001:2013 Clause 6.1.3, Clause
assumptions are 8.3, Clause 9.3
established and used to · NIST SP 800-53 Rev. 4 PM-9
support operational risk
decisions.
ID.RM-2: Organizational risk tolerance · COBIT 5 APO12.06 AWS Certifications, Customer Responsibility PM-9 N/A N/A
is determined and clearly expressed · ISA 62443-2-1:2009 4.3.2.6.5
· ISO/IEC 27001:2013 Clause 6.1.3, Clause
8.3
· NIST SP 800-53 Rev. 4 PM-9
ID.RM-3: The organization’s · COBIT 5 APO12.02 AWS Certifications, Customer Responsibility PM-11 N/A N/A
determination of risk tolerance is · ISO/IEC 27001:2013 Clause 6.1.3, Clause PM-8 N/A N/A
informed by its role in critical 8.3 PM-9 N/A N/A
infrastructure and sector specific risk · NIST SP 800-53 Rev. 4 SA-14, PM-8, PM- SA-14 N/A N/A
analysis 9, PM-11
Supply Chain Risk ID.SC-1: Cyber supply chain risk · CIS CSC 4 PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Management (ID.SC): management processes are identified, · COBIT 5 APO10.01, APO10.04, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
The organization’s established, assessed, managed, and APO12.04, APO12.05, APO13.02, BAI01.03, Artifacts (AWS service found in the AWS Console for existing customers) or
priorities, constraints, agreed to by organizational stakeholders BAI02.03, BAI04.02 provided under a signed Non-Disclosure Agreement (NDA).
risk tolerances, and · ISA 62443-2-1:2009 4.3.4.2
assumptions are · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2,
established and used to A.15.1.3, A.15.2.1, A.15.2.2 SA-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
support risk decisions · NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
associated with Artifacts (AWS service found in the AWS Console for existing customers) or
managing supply chain provided under a signed Non-Disclosure Agreement (NDA).
risk. The organization
has established and SA-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
implemented the Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
processes to identify, Artifacts (AWS service found in the AWS Console for existing customers) or
assess and manage provided under a signed Non-Disclosure Agreement (NDA).
supply chain risks.
ID.SC-2: Suppliers and third party · COBIT 5 APO10.01, APO10.02, PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
partners of information systems, APO10.04, APO10.05, APO12.01, APO12.02, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
components, and services are identified, APO12.03, APO12.04, APO12.05, APO12.06, Artifacts (AWS service found in the AWS Console for existing customers) or
prioritized, and assessed using a cyber APO13.02, BAI02.03 provided under a signed Non-Disclosure Agreement (NDA).
supply chain risk assessment process · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2,
4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10,
4.2.3.12, 4.2.3.13, 4.2.3.14 RA-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA- Artifacts (AWS service found in the AWS Console for existing customers) or
12, SA-14, SA-15, PM-9 provided under a signed Non-Disclosure Agreement (NDA).
RA-3 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
ID.SC-3: Contracts with suppliers and · COBIT 5 APO10.01, APO10.02, PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
third-party partners are used to APO10.03, APO10.04, APO10.05 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
implement appropriate measures · ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7 Artifacts (AWS service found in the AWS Console for existing customers) or
designed to meet the objectives of an · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, provided under a signed Non-Disclosure Agreement (NDA).
organization’s cybersecurity program A.15.1.3
and Cyber Supply Chain Risk · NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-
Management Plan. 12, PM-9 SA-11 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
ID.SC-4: Suppliers and third-party · COBIT 5 APO10.01, APO10.03, AU-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
partners are routinely assessed using APO10.04, APO10.05, MEA01.01, MEA01.02, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
audits, test results, or other forms of MEA01.03, MEA01.04, MEA01.05 Artifacts (AWS service found in the AWS Console for existing customers) or
evaluations to confirm they are meeting · ISA 62443-2-1:2009 4.3.2.6.7 provided under a signed Non-Disclosure Agreement (NDA).
their contractual obligations. · ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 AU-2, AU-6, AU- AU-16 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
12, AU-16, PS-7, SA-9, SA-12 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
AU-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
AU-6 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
PS-7 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
ID.SC-5: Response and recovery · CIS CSC 19, 20 CP-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
planning and testing are conducted with · COBIT 5 DSS04.04 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
suppliers and third-party providers · ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 Artifacts (AWS service found in the AWS Console for existing customers) or
· ISA 62443-3-3:2013 SR 2.8, SR 3.3, provided under a signed Non-Disclosure Agreement (NDA).
SR.6.1, SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, CP-4 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
IR-4, IR-6, IR-8, IR-9 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
IR-3 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Note:
AWS services in bold in the "AWS Services/Resources" column have been validated by an independent assessor to align to the CSF based on FedRAMP Moderate and/or ISO 9001/27001/27018
accreditation.
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility
Access Control PR.AC-1: Identities and credentials are · CIS CSC 1, 5, 15, 16 AWS IAM Policies & Roles/Customer AC-1 AWS implements formal, documented policies and procedures that provide guidance
Identity Management, managed for authorized devices and · COBIT 5 DSS05.04, DSS06.03 Responsibility AC-2 for operations
Access privileges andto information
AWS systems security within theonorganization
are reviewed a quarterly basis and the bysupporting
an
Authentication and users Identities and credentials are · ISA 62443-2-1:2009 4.3.3.5.1 AWS environments.
authorized individual. Policies
Explicit address purpose,
re-approval scope, roles,
is required or accessresponsibilities,
to the resource andis
Access Control issued, managed, verified, revoked, and · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR IA-1 AWS implements
management formal,
commitment. documented
All policies policies and procedures
are maintained that
in a centralized provide
locationguidance
that
automatically
for operationsby revoked.
and information security within the organization and the supporting
(PR.AC): Access to audited for authorized devices, users and 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 IA-10 N/A
is accessible employees.
assets and associated processes · ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, AWS environments. Policies address purpose, scope, roles, responsibilities and
IA-11 N/A
facilities is limited to A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, management commitment. All policies are maintained in a centralized location that
IA-2 AWS
is controlsbyaccess
accessible employees.to systems through authentication that requires a unique user
authorized users, A.9.4.3 ID and password. AWS exist systems do not allow
processes, or devices, · NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-3 Several network fabrics at Amazon, eachactions
separated to be byperformed
boundary on the
protection
information
Policies system
are reviewed without
approved identification
by orbetween
AWS leadership authentication.
atfabrics.
least
and to authorized IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-4 devices
AWS has
AWS
that
controls control
accessthe
implemented to flow
systems of information
through
lock outauthentication thatannually
The flow
requires or following
of
a enforced.
unique user a
significant
information
ID andcontrols change
password.between AWS theasystems
to fabrics session
AWS environment.
is established
do not allow
policy that is systematically
by approved
actions toand authorizations,
be authentication
performed which The
exist
activities and IA-10, IA-11 IA-5 AWS
session
as access lock is access
control retained
lists to systems
until
(ACL) through
established
residing on authentication
identification
these devices. that
ACLs requires
are aon
defined,
the
unique user
procedures
approved
transactions. Access to information
ID
are and password.
performed. systemAWS without systems identification
dodata or authentication.
notSecurity
allow actions to be performed onhelpthe
IA-6 The
All
by obfuscation
employees,
appropriate
AWS has implemented of
Amazon’sauthentication
vendors, and contractors
Information
a session is performed
who
lock out policy require
team, throughout
a user
managed AWS
account
and to
must
deployed
that is systematically enforced. The be protect
on-
using
physical and logical information system without identification or authentication.
the
AWS information
boarded
session through
ACL-manage
lock from
Amazon’s
is retained unauthorized
tool. until HR personnel.
management
established This is often
system.
identification As part performed by the
of the onboarding client
assets and associated AWS
User
software
workflow,has
access implemented
or,
theprivileges
in direct
some manager a session
are
cases, restricted lockbased
theofdevice
the out policy
operating
employee, that isand
on business
system
vendor,
authentication
systematically
need andservers
oncontractor
or the
procedures
enforced.
job responsibilities.
and
requests theThe
network
facilities is limited to are performed.
session lock isofretained until established
authorized users,
AWS
devices employs
identified
establishment
Approved firewallthea inconcept
thesets
user
rule AWS of
account. and least
inventory.
Group
access oridentification
privilege, allowing
shared
control accounts
lists and
onlyare
between authentication
the necessary
not
network permitted
fabricsprocedures
access
withinfor
restrict
are
users
the performed.
to accomplish
system
flow of boundary.
information their
The tojob function.
approved
specific New serves
request
information usersystem
accounts
as the are created
approval
services. to control
have alists
to establish
Access user
processes, and devices, minimal access.
and is managed account.
and rule sets are User
reviewed access andtoapproved,
AWS systems and are (forautomatically
example, network, pushedapplications,
to boundary
IA-7 Third party
tools, etc.)
protection
AWS privileged
requires
is designed
devices toon aaccess
documented
protect
periodic theto confidentiality
AWS
approval
basis systems
(at least are
fromeverythe allocated
and authorized
integrity
24 hours) based
to on least
ofpersonnel
transmitted
ensure privilege,
(for
rule-sets
data
consistent with the approved bycontrol
an manager
authorized
assessed risk of IA-8
example,
In
andthe
through
AWS event
accesstheuser's
controls that anlists
comparison
access active
toare
of aindividual
and/or
or system
inactive
up-to-date.
systems cryptographic
through
prior
owner)
user to access
does
hash and
not
of data
authentication
provisioning,
validation
comply with
transmitted.
that
theand
of the
requires
supervised
active
above
This user
isstated
a unique done in by
userto
an
the
helpAWS
HR
policy, employee.
system.
their
ensure account
the message Duties
willsystems and
isbenot areas
locked.
corruptedof responsibility
or altered in to(for
transit.example,
Data that access
hasthe request
been
unauthorized access to IA-9 ID
N/Aand
and password.
approval, change AWS dorequest
not allow actions bechange
performed on
authorized activities AWS
altered implements
informationor corrupted
systemleast inmanagement
transit
withoutprivilege is immediately
throughout
identification
and
or its
approval,
rejected.
infrastructure
authentication.AWS development,
provides
components.manyAWS methods
PR.AC-2: Physical access to assets is · COBIT 5 DSS01.04, DSS05.05 AWS Best Practices, AWS Reference PE-2 testing
Physical
prohibits
for and
customers all deployment,
access totosecurely
ports all AWS
and etc.)
protocols
handle must
data thatbedo
centers
their segregated
housing
data:
not have IT aacross different
infrastructure
specific business individuals
components
purpose. tois The
AWS
and transactions. AWS has implemented
reduce opportunities a
fordata session
an unauthorized lock out policy that
or unintentional is systematically enforced.
managed and protected · ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 Architectures, AWS Config, AWS ConfigRules, restricted
follows
session to authorized
a rigorous
lock is retainedapproachuntil center
to employees,
minimal
established vendors,and
implementation
identification ofmodification
and contractors
only orwho
those features
authentication
misuse andof
require
procedures
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, AWS Cloudwatch, CloudWatch Logs, AWS systems.
access
functions
-AWS in order
enables
that are to essential
execute to
customers their
toopen
usejobs.
of Access
a secure,
the device.to facilities
encrypted
Network isscanning
channel onlytopermitted
AWS at using
is performed
servers and
are performed.
A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1, CloudTrail, VPC Flowlogs, AWS Big Data and controlled
any unnecessary
HTTPS accessports
(TLS/SSL). pointsorthat requireinmulti-factor
protocols use are corrected.authentication designed to prevent
A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8 Analytics services, Customer Responsibility tailgating and to ensure that only authorized individuals enter an AWS data center.
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, On a quarterly
-Amazon basis, access
S3 provides a mechanismlists andthat authorization
enables users credentials
to utilizeofMD5 personnel
checksumswith to
PE-5, PE-6, PE-8 access
validatetothat AWS datadatasentcenters
to AWS areisreviewed by the respective
bitwise identical to what isdata center and
received, Areathat Access
data
Managers
sent by Amazon (AAM). S3 is identical to what is received by the user. When customers
All entrances
choose to provide to AWS theirdataowncenters,
keys forincluding
encryption theandmain entrance,of
decryption theAmazon
loadingS3 dock,
and any(S3
objects roofSSE-C),
doors/hatches,
Amazonare S3secured
does notwith storeintrusion detection
the encryption devices
key provided thatbysound
the
alarms
customer. if the door isS3
Amazon forced
generatesopen and or held
storesopen.
a one-way salted HMAC of the customer
Trained
encryption security
key and guards are stationed
that salted HMACatvalue the building entrance 24/7. If a door or cage
is not logged.
within a data center has a malfunctioning card reader or PIN pad and cannot be
secured electronically,
-Upon initial communication a security withguard is posted at theWindows
an AWS-provided door until it can
AMI, AWS be repaired.
enables
secure communication by configuring Terminal Services on the instance and
generating a unique self-signed X.509 server certificate and delivering the
certificate’s thumbprint to the user over a trusted channel.
-AWS further enables secure communication with Linux AMIs, by configuring SSH
PE-3 on the instance,
Physical access togenerating
all AWS adata unique host-key
centers andIT
housing delivering the key’s
infrastructure fingerprint
components is to
the user over
restricted a trusted channel.
to authorized data center employees, vendors, and contractors who require
access in order to execute their jobs. Access to facilities is only permitted at
-Connections
controlled between
access pointscustomer applications
that require and authentication
multi-factor Amazon RDS designed
MySQL instances
to prevent
can be encrypted
tailgating using TLS/SSL.
and to ensure Amazon RDS
that only authorized generates
individuals a TLS/SSL
enter an AWScertificate
data center.for
eacha database
On quarterlyinstance, which
basis, access canand
lists be authorization
used to establish an encrypted
credentials connection
of personnel with
using the
access defaultdata
to AWS MySQL
centers client. Once an by
are reviewed encrypted connection
the respective data is established,
center data
Area Access
transferred(AAM).
Managers between the database instance and a customer’s application will be
encrypted
All entrancesduring transfer.
to AWS dataIfcenters,
customers requirethe
including data
mainto be encrypted
entrance, the while
loading“atdock,
rest”
in the
and database,
any the customerare
roof doors/hatches, application
secured withmustintrusion
manage detection
the encryption
devicesandthat sound
decryption
alarms if theofdoor
data.isAdditionally,
forced open or customers
held open.can set up controls to have their
databasesecurity
Trained instances only accept
guards encrypted
are stationed connections
at the for specific
building entrance 24/7.user
If aaccounts.
door or cage
-Content is encrypted with
secured electronically, 256-bitguard
a security keys iswhen customers
posted enable
at the door untilKMS
it cantobe
encrypt S3
repaired.
Objects, EBS Volumes, RDS Database Instances, Redshift Data Blocks, CloudTrail
Log Files, SES Messages, Workspace Volumes, WorkMail Messages, and EMR S3
Storage. access points to server locations are recorded by closed circuit television
Physical
camera (CCTV). Images are retained for 90 days, unless limited to 30 days by legal
AWS
or offers customers
contractual the ability to add an additional layer of security to data at rest
obligations.
in the cloud, providing scalable and efficient encryption features. This includes:
• Data encryption capabilities available in AWS storage and database services, such
as EBS, S3, Glacier, Oracle RDS, SQL Server RDS, and Redshift
• Flexible key management options, including AWS Key Management Service,
allowing you to choose whether to have AWS manage the encryption keys or enable
you to keep complete control over your keys
PE-4 Access to power
• Dedicated, equipment, power
hardware-based cabling,key
cryptographic andstorage
transmission
using lines
AWSare restricted to
CloudHSM,
authorized
allowing you personnel
to satisfyand are positioned
compliance to prevent intentional or accidental damage.
requirements
In addition, AWS provides APIs for you to integrate encryption and data protection
with any of the services you develop or deploy in an AWS environment.
PE-5 The following statements outline how each requirement of the control is met through
AWS’toimplementation:
Refer the following AWS Audit Reports for additional details: PCI 3.2, ISO
27001, ISO 27017, HIPAA, IRAP, NIST 800-53, SOC 2 COMMON CRITERIA,
Crash
SOC 1carts—carts with a monitor that can be plugged into servers—are the only
& 2 CONTROLS
output devices used within data centers. Crash carts reside only within data center
server rooms, which are protected by physical access devices (badge readers)
requiring a successful badge swipe and PIN to enter. These prevent unauthorized
individuals from obtaining or observing output displayed on crash carts.
While the crash carts enable data center technicians to troubleshoot using a display
device (monitor), data center technicians are not permitted to log into AWS servers
until customer data have been removed. Server and networking rooms are positioned
in the interior of each data center, and there are no exterior windows at data centers.
PE-6 Physical access to all AWS data centers housing IT infrastructure components is
restricted to authorized data center employees, vendors, and contractors who require
access in order to execute their jobs. Access to facilities is only permitted at
controlled access points that require multi-factor authentication designed to prevent
tailgating and to ensure that only authorized individuals enter an AWS data center.
On a quarterly basis, access lists and authorization credentials of personnel with
access to AWS data centers are reviewed by the respective data center Area Access
Managers (AAM).
All entrances to AWS data centers, including the main entrance, the loading dock,
and any roof doors/hatches, are secured with intrusion detection devices that sound
alarms if the door is forced open or held open.
Trained security guards are stationed at the building entrance 24/7. If a door or cage
secured electronically, a security guard is posted at the door until it can be repaired.
PE-8 Due to the fact that our data centers host multiple customers, AWS does not allow
data center tours by customers, as this exposes a wide range of customers to physical
access of a third party.
AWS provides data center physical access to approved employees and contractors
who have a legitimate business need for such privileges. All visitors are required to
present identification and are signed in and escorted by authorized staff.
Cardholder access to data centers is reviewed quarterly. Cardholders marked for

removal have their access revoked as part of the quarterly review.
PR.AC-3: Remote access is managed · CIS CSC 12 AWS Certifications, AWS Best Practices, AWS AC-1 AWS implements formal, documented policies and procedures that provide guidance
· COBIT 5 APO13.01, DSS01.04, DSS05.03 Reference Architectures, AWS IAM (MFA), AC-17 for
Remote operations
accessand information
to AWS production security within theisorganization
environments limited to defined and thesecurity
supporting
· ISA 62443-2-1:2009 4.3.3.6.6 AWS Config, AWS ConfigRules, AWS AWS
groups. environments.
The addition Policies
of policies
members address purpose,
intoprocedures
a group must scope,beroles,
reviewedresponsibilities,
and approved andby
· ISA 62443-3-3:2013 SR 1.13, SR 2.6 Cloudwatch, CloudWatch Logs, CloudTrail, AC-19 AWS
management maintains formal
commitment. All and
policies that provide guidance for operations
authorized
and informationindividuals
security who confirm
within the are
user’s
the organization
maintained
need
andfor
in a centralized
theaccess to theAWS
supporting
location
environment. that
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, VPC Flowlogs, Customer Responsibility AC-20 AWS
is creates
accessible
Remote access The and
by maintains
employees.
requires written
multi-factor agreements
authentication with third parties
over an approved (e.g., contractors
cryptographic
A.11.2.6, A.13.1.1, A.13.2.1 environments.
or vendors) security
in accordance policy
with the is workpublished
or service by leadership
to be to provide
provided guidance on
(e.g.,connections
network
SC-15 AWS
channel does
ISMS implementation. for not allow
authentication. collaborative
The mobile computing devices to have network
· NIST SP 800-53 Rev. 4 AC-1, AC-17, AC- services
to
AWS the AWS agreement,
employs information service
automated deliverydevice
system.
mechanisms agreement,
to
policyorprovides
facilitate information
the
guidance
monitoring exchange
and
on: agreement)
control of
• Useimplements
and of mobile devices. appropriate relationship management mechanisms inwhich
line with
19, AC-20, SC-15 remote
• Protection access of methods.
devices Auditing
that access occurs
contenton thewhich
for systems Amazonand devices,
isthe
responsible. are their
then
relationship
aggregated to the
and business.
stored Agreements
in a proprietary tool cover, at a minimum,
for review and incident following:
investigation. The
•• Legal
AWS
Remote and wipe
operational
capability.
regulatory requirements
environment, applicable to AWS
•• User Password-guessing
awareness protection to
of information
include
restrictions.
security
network and security configuration, is
responsibilities and issuesby employees per
considered confidential information and is required to be protected
•• Arrangements
Amazon
Remote synchronization for reporting, requirements.
notification, and investigation of access
information security
• Securitydata
incidents patch
and
classification
requirements.
security
policies. All remote administrative attempts are
PR.AC-4: Access permissions are · CIS CSC 3, 5, 12, 14, 15, 16, 18 AWS Certifications, AWS Best Practices, AWS AC-1 AWS
logged implements
and limited to abreaches
formal, documented
specific numberpolicies of attempts.and procedures
Auditing logs thatareprovide
reviewedguidance
by
managed, incorporating the principles of · COBIT 5 DSS05.04 Reference Architectures, AWS IAM (including • Target
for and
operations unacceptable
and information levels of service
security (e.g.,theSLA, Operational Level Agreement
AC-14 the
AWS
[OLA])
AWS Security
controls accessteam to for
systems throughwithin
unauthorized attempts
authenticationorganization
or suspicious and
that requires the
activity. supporting
In
a unique theuser
event
least privilege and separation of duties · ISA 62443-2-1:2009 4.3.3.7.3 MFA & federation), AWS CloudFormation, AWS
that
ID environments.
suspicious
and password. activity
AWS Policies
is address
detected,
systems do the purpose,
incident
not Recovery scope,
allow actionsresponse roles, responsibilities,
procedures
to Objective
be performed are and
initiated.
on the
· ISA 62443-3-3:2013 SR 2.1 AWS Config, AWS ConfigRules, Customer AC-16 •N/A Service
management continuity
commitment.requirementsAll (e.g.,
policies are maintainedTime in a centralized[RTO]), in that
location
information
accordance system
with AWS without
business identification
priorities or authentication. Remote access requires
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, Responsibility AC-2 Access
is privileges
accessible to AWS
by employees. systems are reviewed on a quarterly basis by an
multi-factor
• Protectionindividual. authentication
of Intellectual and the number
Property Rights is of unsuccessful
(IPR) and copyright log-on attempts of is
A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 AC-24 authorized
N/A Explicit re-approval required or access assignment
to the resourceAWS is
limited.
• Conditions All remote
for administrative access attempts
renegotiation/termination are logged, and the logs are
of the agreement.
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC- automatically revoked.
AC-3 reviewed
User access by privileges
the Security areteam for unauthorized
restricted based on business attempts needor suspicious activity. If
and job responsibilities.
3, AC-5, AC-6, AC-14, AC-16, AC-24 suspicious activity is detected, the incident response
AC-5 AWS employs the concept
Privileged access to AWS systems is assigned of least privilege, based procedures
allowing ononlyleastthe are initiated.
necessary
privilege, access for
approved by
users
an authorized to accomplish individualtheir job
prior function.
to access New user
provisioning, accountsand are created
assigned to have
a different userby
AC-6 Privileged
AWS
minimal has access
implemented
access. to AWS
User systems
abusiness
access session
to AWS is assigned
lock out policy based
that on
is ofleast privilege,
systematically approved
enforced. The
ID authorized
an than used for normal
individual prior to use.systems
access Duties (e.g.,
and network,
areas applications,
responsibility tools)
(e.g., access
PR.AC-5: Network integrity is · CIS CSC 9, 14, 15, 18 AWS Certifications, AWS Best Practices, AWS AC-10 AWS
information
requires
request controls
documented
and accessimplements
systems
approval, to systems
approval
change from
management the provisioning,
through
a session authentication
lock
authorized
requestafterandaand assigned
that
period
personnel
approval,requires a different
a unique
of inactivity,
(e.g., user's
change
user
user as
as well
manager
protected (e.g., network segregation, · COBIT 5 DSS01.05, DSS05.02 Reference Architectures, AWS IAM (MFA), ID
ID
in
and/or than
and
the used
password.
case
system of for normal
AWS
multiple
owner) business
systems
log-in
and douse.
attempts,
validation not
ofDuties
allow
and
the and
limits
active areas
actions
the
user to of
be
number
in responsibility
theperformed
of concurrent
Amazon on (e.g.,
Humanthe access
sessions
development,
request and testing and
approval, change deployment)
management are segregated andacross different individuals to
network segmentation) · ISA 62443-2-1:2009 4.3.3.4 AWS CloudFormation, Config, AWS information
that
Resources
reduce may exist.system
system.
opportunities without
The session
for identification
lock is retained orrequest
authentication.
until approval,
established Remote change
identificationaccess requires
and
· ISA 62443-3-3:2013 SR 3.1, SR 3.8 ConfigRules, AWS CloudTrail, VPC Flowlogs, development,
multi-factor
authentication testing
authentication
procedures andan unauthorized
deployment)
andperformed.
are the number areorsegregated
unintentional
of unsuccessful across modification
different
log-on attempts
or misuse
individuals
is
of
to
AWS systems.
reduce opportunities for an unauthorized
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, AWS VPC, Security Groups, ACL's, Customer limited. All remote administrative access or unintentional
attempts are logged, modification
and the logs or misuse
are of
A.13.2.1, A.14.1.2, A.14.1.3 Responsibility AC-4 AWS systems.
Several
reviewed network fabrics exist
by the Security teamatfor Amazon,
unauthorized each separated
attempts by boundary protection
or suspicious activity. If
· NIST SP 800-53 Rev. 4 AC-4, AC-10, SC- SC-7 devices
suspicious
Several that control
activity
network isthe
fabrics flow
existof
detected, information
atthe incidenteach
Amazon, between
response
separatedfabrics.
procedures Theare
by boundary flow of
initiated.
protection
7· information
devices that between
controlformal, fabrics
the flow is
ofestablished
information bybetween
approved authorizations,
fabrics. The flow which exist
of
PR.AC-6: Identities are proofed and CIS CSC, 16 AC-1 AWS
as ACL implements documented policies and procedures that provide guidance
bound to credentials and asserted in · COBIT 5 DSS05.04, DSS05.05, DSS05.07, AWS
information
for operations hasresiding
implemented
between on these
fabrics
and information
devices.
a session ACLs
lock
is established
security out are
bydefined,
policy
within thethat
approved approved
is by appropriate
systematically
authorizations,
organization theenforced.
andusing which
supporting The
exist
AC-16 N/A
Amazon’s
information
as ACL Information
residingsystems on these Security
implements
devices. team,
a ACLs and
session managed
lock
are afterand
defined, deployed
aapproved
period ofby inactivity, AWS’s
appropriate asand
well as
interactions DSS06.03 AWS
ACL-management environments. Policies
tool. address purpose, scope, roles, responsibilities,
AC-19 AWS
in the maintains
Amazon’s case Information formal
of commitment.
multiple policies
log-in
Security and
attempts,
team, procedures
and
and limitsthat
managed theprovide
and
number guidance
deployed
of concurrent
using forAWS’s
operations
sessions
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, management
Approved firewall All policies are maintained in a centralized location that
4.3.3.7.2, 4.3.3.7.4 AC-2 and
that
Access
is
information
ACL-management
mayprivileges
accessible exist. by The torule
security
tool.
session
AWS
employees.
sets and access
within
lock
systems the
is retained
are control
organization
revieweduntillists
andbetween
a the
established
on quarterly network
supporting basisAWS
identificationfabrics
by anand restrict
the flow offirewall
environments.
authentication
Approved
authorized information
The rule
security
procedures
individual. to are
sets specific
Explicit policy
and performed.
accessinformation
is
re-approval published
control system
by
lists
is required services.
leadership
between
or ACLs
to provide
network
access to and
thefabrics rule
guidance
resource sets
on
restrict
is
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR AC-24 N/A
are flow reviewed and approved and are information
automatically pushed toguidance
boundary protection
ISMS
the
automatically implementation.
of information
revoked. The mobile
to specific device policy provides
system services. ACLs on: and rule sets
1.4, SR 1.5, SR 1.9, SR 2.1 devices
AC-3 User
•are Use ofon
access
reviewed aprivileges
mobile periodic
anddevices. basis
approved (at
andleast
are restricted every
based24
are automatically onhours)
business to ensure
pushed need rule
and
to boundaryjobsets and access
responsibilities.
protection
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1 control lists
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-
AWS
•devices
Protectionon aare
employs of up concept
the
devices
periodic to date.
that of
basis least
access
(at privilege,
leastcontent
every 24 allowing
forhours)
whichto only therule
Amazon
ensure isnecessary
sets andaccess
responsible. accessfor
AWS
users
•control
Remote implements
to accomplish
wipe
lists upleast
totheir
arecapability. privilege
date. job function. throughout New user its infrastructure
accounts are components.
created to have AWS
3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA- prohibits
minimal access.
all portsUser and access
protocols to AWSthat do
systems
not have
5, IA-8, PE-2, PS-3
•AWS Password-guessing
implements protection
least privilege restrictions.
throughout its(e.g.,
a specific
network,
infrastructure business
applications,
components.purpose. tools)
AWSAWS
follows
requires
Remoteadocumented
•prohibits rigorous
synchronization
all ports and approach
approval to from
minimal
that the
requirements.
protocols authorized
do notimplementation personnel
have a specific of only(e.g.,
businessthoseuser's
features
purpose.manager and
AWS
functions
and/or
•follows
Securitysystem
that
patch
a rigorous are
owner)
essential
and validation
requirements.
approach totouse of the
minimal of the
device.
active Network
implementation user inof scanning
the Amazon
only is performed,
those Human and
features and
any unnecessary
Resources
functions system.
that areports or protocols
essential to use ofinthe usedevice.
are corrected.
Network scanning is performed, and
any unnecessary ports or protocols in use are corrected.
PR.AC-6: Identities are proofed and · CIS CSC, 16
bound to credentials and asserted in · COBIT 5 DSS05.04, DSS05.05, DSS05.07,
interactions DSS06.03
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2,
4.3.3.7.2, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
1.4, SR 1.5, SR 1.9, SR 2.1
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC- IA-1 AWS implements formal, documented policies and procedures that provide guidance
3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA- IA-2 for operations
AWS controls and access information
to systemssecurity throughwithin the organization
authentication and the
that requires supporting
a unique user
AWS
ID environments.
andcontrols
password. AWS Policies address purpose, scope, to roles, responsibilities theanduser
5, IA-8, PE-2, PS-3 IA-4 AWS
management access
commitment. to systems
systems
All
do not
through
policies
allow
are
actions
authentication be performed
inthat requires aon unique
information
ID andcontrols system
password. AWS without identification ormaintained
authentication. a centralized location that
IA-5 AWS
is
AWSaccessible byaccess
has implemented employees. toasystems
systems
session
do not allow
through
lock outauthentication
policy
actions to that be performed
requires aon
that is systematically
the user
unique
enforced. The
information
ID andcontrols system
password. AWS without systems identification
do not allow or authentication.
actions toand be authentication
performed
IA-8 AWS
session
AWS has lock is access
retained
implemented tountil
asystems
session through
established authentication
lock outidentification
policy thatatisleastthat requires aon
systematically
the
unique user
procedures
enforced. The
information
Policies
ID
are and are systemAWS
reviewed
password.
performed. without
approved
systems identification
bydoAWS not allow or authentication.
leadership
actions toand annually
be authentication
performed oron following
the a
PE-2 Physical
session
AWS access
lock is
has implemented to all
retained AWS until
a AWS data
session centers
established housing
identification
lock out policy IT infrastructure components
that is systematically enforced. The is
procedures
significant
information
restricted tochange
system
authorized towithout
thedata centerenvironment.
identification employees, or authentication.
vendors, and contractors who require
PS-3 are performed.
Background
session lock checks
is retainedare are performed
until established as part of AWS’s hiring verification processes.
AWS
User
access has
access
in implemented
privileges
order to execute a session
restricted
their jobs. outidentification
lockbased
Access policy
ontobusinessthat isand
facilities need
is
authentication
systematically
and
only
procedures
enforced.
jobinresponsibilities.
permitted at The
PR.AC-7: Users, devices, and other · CIS CSC 1, 12, 15, 16 AC-11 Background
are
All performed.
AWS employees,
session controls
lock checksvendors,
is access
retained include
tountil
systemseducation,
and established
contractors
through previous
who
authentication
identification employment,
require a and user and,
account
thatauthentication
requires some
must
a unique cases,
be on- user
procedures
AWS
criminal employs
controlled andaccess the
other concept
points
background thatofrequire
least
checks privilege,
multi-factor
as allowing
permitted only
authentication
by law the
and necessary
designed
regulation access
to
forpreventfor
assets are authenticated (e.g., single- · COBIT 5 DSS05.04, DSS05.10, DSS06.10 AC-12 boarded
ID
are
usersand
Limiting
tailgating through
topassword.
performed.
accomplish
the
and length Amazon’s
AWS
to ensure their
of systems
job
sessions
that HR management
do
function.
only is notnot allowuser
New
feasible
authorized system.
actions
from accounts
individuals As
to be
a businesspart
are
enter of the
performed
created
perspective.
an AWS onboarding
on
to the
have
data Ancenter.
employees
Third party commensurate
privileged access with the employee’s position and level ofonaccess to AWS
factor, multi-factor) commensurate with · ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2,
AC-14
workflow,
information
minimal
example
On
AWS ofthe
a quarterly
controls this direct
system
access. User
would
basis,
access
manager
without
access
besystems
access
to when toto
listsofAWSAWS
the
identification
AWS
through
systems
andemployee,
systems
teams
authorization
are
or maintain
(for allocated
vendor,
authentication.
example, or
EC2.
credentials
based
contractor
Remote
network,
The ofEC2
least
requests
access privilege,
aapplications,
bastions
personnel withthe
requires
users
the risk of the transaction (e.g., 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, facilities.
approved
establishment
multi-factor
tools,
utilize
access etc.)
ato
by anof
requires authorized
“run-parallel”
AWS a user
authentication
data account.
documented
approach
centers
individual
and
are areas Group
theto number
approval
reviewedexecuteorauthentication
prior to
shared
of
from
by some
access
the the accounts
unsuccessful thatare
provisioning,
authorized
commands
respective
requires
not
log-on
personnel
across
data center
and
permitted
attempts
theon
unique
supervised
(for
fleet
Area is userby
within
for any
Access
individuals’ security and privacy risks 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 AC-7 ID
an and
theAWS
AWS system
limited. password.
employee.
controls
All access
boundary.
remote AWS Duties
to
The systems
and
systems
administrativeapproved do not
through allow
of owner)
request
access actions
responsibility
authentication
serves
attempts as to
the beapproval
(for
that performed
example,
requires toaccess theare
aestablish
unique request
user
a in
user
example,
number
Managers
information ofuser's
reasons,
(AAM).
system manager to and/or
include
without system
information
identification andare
collection,
or authentication.
logged,
validation andthe
of
investigations,
Remote
the andlogs
active
access user
requires
and other organizational risks) · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR AC-8 and
ID approval,
and
account.
reviewed
AWS password.
employsby the change AWS
Security management
systems
team do request
not
forexecuting allow
unauthorized and approval,
actions
attempts to bechange
performed
or jobs development,
suspicious on the
activity. ofIf
the
All HR
multi-factor
testing
system.
troubleshooting.
entrances
and toautomated
This can
AWS
authentication
deployment, data mechanisms
require
etc.)centers,
and must the number
be
to facilitate
including
segregated
a the
of the monitoring
long-running
main
unsuccessful
across entrance,
log-on
different
that
the and thecontrol
loading
attempts
individuals dock,
isto
1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10 information
suspicious system
activity without
istodetected, identification or authentication. Remote access requires
AC-9 remote
N/A
limited.
reduce
access
administrator
and anyopportunities
roof
All methods.
needs
doors/hatches,
remote Auditing
monitor
administrative
for an arethe (in incident
occurs
a separate,
secured
unauthorized access on
with response
the systems
concurrent
intrusion
attempts
or unintentionalare
procedures
and
detection
logged, and
are
devices,
session) devices
modification
initiated.
inthe which
their
logs
orthat are
terminal
are then
sound
misuse of
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, multi-factor
In the event
aggregated
window authentication
that
and an
stored active
in adoesorand
proprietarythe
inactive number
user
tool of
does unsuccessful
for reviewnot comply log-on
with
andorincident the attempts
above
investigation. is
stated
andIfThe
IA-1 AWS iffor
alarmsimplements
reviewed the
by
systems.
status.
door
the AWS
is
Security forced
formal, teamopen
documentedhowever
for ensure
orunauthorized
held open.
policies all sessions
attempts
and procedures are authenticated
suspicious
that provideactivity.
guidance
A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4 limited.
policy, All
their
hassecurityremote
account
implemented administrative
will aarebe locked.
session tolockaccess attempts are logged, and the logs are
AWS
have
Trained operational
strong
suspicious activity environment,
multi-factor
guards
is implementsauthentication
detected, stationed atout
include thepolicy
network
measures
building that
inand is security
place. systematically
entrance Refer24/7.to IA-2
If aenforced.
configuration, (1) for
door The
oriscage
more
· NIST SP 800-53 Rev. 4 AC-7, AC-8, AC- IA-10 for
N/Aoperations
reviewed
information
considered
details by theand
systems
confidential information
Security team the
for incident
andwithin
a unauthorized
session response
lock
iscard
requiredthe
after procedures
organization
attempts
toaor or
period
be protected
are
ofand
suspicious initiated.
the
inactivity,
by supporting
activity.
asbe
employees If per
well as
within
AWS aondata
the
environments. MFA
center employed.
has a malfunctioning
Policies address purpose, reader
scope, PIN
roles, pad and
responsibilities cannot and
9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA- IA-11 suspicious
in the
Amazon
N/A has case activity
of
data multiple is
classification detected,
log-in the
attempts,
policies. incidentand response
limits the procedures
number of are initiated.
concurrent sessions
secured
AWS electronically,
implemented aasecurity
session guardout is posted at the door until it canenforced. be repaired.
4, IA-5, IA-8, IA-9, IA-10, IA-11 management
that may exist. commitment.
The session All islock
lockpolicies retained are policy
maintained that
until established isinsystematically
a centralized
identification location
and that The
IA-2 AWS
is
AWS controls
information
accessible
has access
systems
byprocedures
implemented employees. toasystems
implementssession through
alock outauthentication
session lock after
policy that requires
that aisperiod of inactivity,
systematically a enforced.
unique user
as well Theas
authentication are performed.
IA-3 ID andcase
in the
Several
information password.
ofsystems
network multipleAWS
fabrics systems
log-in
exist
implements do
attempts,
at Amazon, not and
a session allow
each
lock actions
limits separated
after toperiod
the anumber bebyperformed
of
of concurrent
boundary
inactivity, on the
protectionsessions
as well as
information
thatthemay
Policies are system
exist.
ofreviewed without
The session approved identification
lock is retained
by AWS orlimits
authentication.
until
leadership established
theatfabrics.
least identification and
IA-4 devices
in
AWS
AWS
casethat
controls
hasexist.
control
accessthe
multiple
implemented to flow
log-in
systems of information
attempts,
through and between
outauthentication thatannually
number The flow
of concurrent
requires or following
of
a enforced.
unique sessions
user a
authentication
significant
information
that
ID may
and change
password.
procedures
between
TheAWS theasystems
tosession
fabrics session
are
AWS isperformed.
lock is
do
lock
environment.
established
retained
not allow
policy
by
until that is systematically
approved
established
actions to authorizations,
be identification
performed on whichandexist
the
The
IA-5 AWS
session
as accesscontrols
lock
control access
is procedures
retained
lists to systems
until
(ACL) through
established
residing authentication
on identification
these devices.and thatauthentication
ACLs requires
are defined, a unique user
procedures
approved
authentication
information system without areidentification
performed. or authentication.
IA-8 ID
All
by and password.
are appropriate
AWS performed.
controls
employees, accessAWS
vendors,
Amazon’s toasystems
systems
and do
contractors
Information notSecurity
through allow
who actions
authentication
require
team, ato be performed
that
user
managed requires
account aon
must
and deployed the
unique
be on- user
using
AWS has
information implemented
system without session lock out
identification policy that is
or authentication. systematically enforced. The
IA-9 ID
AWS
N/A andACL-manage
boarded
session password.
through
lock AWS
Amazon’s
is retained systems
tool.until HR do not allow
management
established actions As
system. to bepartperformed
of the onboardingon the
AWS
User has
access
information
workflow, implemented
privileges
system
the directwithout a session
are
manager restricted
identification
of the outidentification
lockbased
employee, policy that isand
onauthentication.
or business
vendor, need authentication
systematically procedures
enforced.
and job responsibilities.
or contractor requests theThe
Awareness and PR.AT-1: All users are informed and · CIS CSC 17, 18 AWS Certifications, AWS Training, AWS Best AT-2 are
AWS performed.
sessionhas implemented
lock isofretained formal,
until documented
established security awareness and training policy
AWS employs
has
establishment
Approved firewall thea user
implemented concept
rule account.
sets of
a session
and least lock
Group
access outoridentification
privilege, policy
shared
control allowing
that
lists isand
accounts
betweenonly authentication
the necessary
systematically
are not
network procedures
access
enforced.
permitted
fabrics withinfor
The
restrict
Training (PR.AT):The trained · COBIT 5 APO07.03, BAI05.07 Practices, AWS Reference Architectures, and
are
users procedures
performed.
to lock
accomplish that address
their purpose, scope, roles, responsibilities, management
organization’s · ISA 62443-2-1:2009 4.3.2.4.2 Customer Responsibility
session
the system
flow
commitment,
is retained
of boundary.
information
coordination
The tojob
until function.
established
approved
specific
among
New
request
information
organizational
usersystem
identification
serves accounts
as the
entities,
and are created
authentication
approval
services.
and Access to control
have
to establish
compliance.
procedures
a user
The lists
minimal
are performed.
account.
and access.
rule awareness
sets are User
reviewed access andtoapproved,
AWS systems (forautomatically
example, network, applications,
personnel and partners · ISO/IEC 27001:2013 A.7.2.2, A.12.2.1 security
Third partydevices
privileged and training to policy andand are
procedures are reviewed pushed
onand
toupdated
boundary at
are provided · NIST SP 800-53 Rev. 4 AT-2, PM-13
tools, etc.)
protection
least annually,
requires
or on
sooner aaccess
documented
periodic
if required
AWS
approval
basis due
systems
(at to
from
least are
the allocated
every
information
authorized
24 system
hours) based
personnel
to ensure
changes.
least privilege,
(for
rule-sets
The policy
approved
example,
In
andthe event
access bycontrol
an manager
user's
that authorized
anlists
active are orindividual
and/or inactivesystem prior
userowner) to access
does and provisioning,
validation
not comply withof thetheand supervised
active
above user in by
stated
cybersecurity is
thedisseminated
an AWS employee. through theup-to-date.
internalareasAmazon communication portal to all employees,
HR their
policy, system. accountDuties will beand locked. of responsibility (for example, access request
awareness education vendors,
and approval, and contractors
change prior to receiving authorized access to the information
AWS implements leastmanagement
privilege throughout request and its approval,
infrastructure change development,
components. AWS
and are trained to system
testing or performing
and assigned duties.
prohibits alldeployment,
ports and protocols etc.) must thatbedo segregated
not have aacross specific different
business individuals
purpose. to AWS
perform their AWS
reduce has developed, for
opportunities documented,
an unauthorized and disseminated
or unintentional security awarenessorand role- of
cybersecurity-related followssecurity
based a rigorous trainingapproach to minimal
for personnel implementation
responsible for designing,ofmodification
only developing,
those features misuse and
AWS
functionssystems.
that are essentialmaintaining,
to use of theand device. Network scanning is performed
duties and implementing, operating, monitoring AWS systems. Training and
responsibilities any unnecessary
includes, but is not portslimitedor protocols
to, the following in use areinformation
corrected. (when relevant to the
consistent with related employee’s role):
policies, procedures, • Workforce conduct standards
and agreements. • Candidate background screening procedures
PM-13 Role-based training is provided. Much of this training is provided on an ongoing

PR.AT-2: Privileged users understand · CIS CSC 5, 17, 18 AT-3 basis
AWS via hasday-to-day
implemented interaction. Service teams
formal, documented have documented
security awareness and team-based
training policyand
roles & responsibilities · COBIT 5 APO07.02, DSS05.04, DSS06.03 role-based
and procedures training thatpages
address thatpurpose,
providescope, new employees, contractors and vendors with
PM-13 Role-based
the necessary training
role-based is provided. Much oftraining
security-related thisroles, responsibilities,
training
required is provided
to execute
management
on an
theirongoing
job
· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 commitment,
basis via day-to-daycoordination amongService
interaction. organizational
teams have entities, and
documented compliance.
team-based Theand
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 functions.
security awareness
role-based training and pages training policy new
that provide and procedures
employees, are reviewedand
contractors andvendors
updatedwith at
· NIST SP 800-53 Rev. 4 AT-3, PM-13 leastnecessary
the annually,role-based
or sooner security-related
if required due totraining informationrequired system changes.
to execute theirThe jobpolicy
is
functions. disseminated through the internal Amazon communication portal to all employees,
vendors, and contractors prior to receiving authorized access to the information
PR.AT-3: Third-party stakeholders · CIS CSC 17 PS-7 AWS
systemcreates and maintains
or performing assigned written
duties.agreements with third parties (e.g., contractors
(e.g., suppliers, customers, partners) · COBIT 5 APO07.03, APO07.06, SA-16 or
AWS
AWS vendors)
has
Service in teams
accordance
developed, with
documented,
create the and
administrator workdisseminated
or service tosecurity
documentation be for
providedawareness
their (e.g., network
services and
androle-
store
understand roles & responsibilities APO10.04, APO10.05 services
based
the documents agreement,
security training service
in internal forAWS delivery
personnel documentagreement,
responsible or
forinformation
repositories. designing,
Using exchange
developing,
these agreement)
documents,
· ISA 62443-2-1:2009 4.3.2.4.2 SA-9 AWS
implementing,
and creates and
implements maintains
operating,
appropriate written
maintaining,
relationship agreements
andmanagement with third
monitoring parties
mechanisms
AWS systems. (e.g.,
injob contractors
line
Training
with their
teams
or provide
vendors) in initial
accordance trainingwith tothenewwork team or members
service that
be covers
tominimum,provided their(e.g., duties,
network on-
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, includes,
relationship
call responsibilities, but to
is the
not business.
limited to,
Agreements
service deliverythe following
specific monitoring cover,information
at a (when the
relevant
following:
to the the
A.7.2.2 services
•employee’s Legal agreement,
and regulatory
role): service
requirements agreement,tometrics
applicable orAWS and alarms,
information exchange alongagreement)
with
intricacies
and implements of theappropriate
service theyrelationship
are supporting. Once trained,
management service team
mechanisms in linemembers
with their
· NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16 •can User awareness
Workforce
assume conduct
on-call ofduties
information
standards
and besecurity
paged into responsibilities
an engagement andasissues
atheresolver. In addition
•relationship Arrangements
Candidate
to the for
background
business.
reporting, Agreements
screeningnotification,
procedures
cover,
and at a minimum,
investigation of following:
•toLegal
incidents
the documentation
andand regulatory
security
stored in the repository,
requirements applicableAWS to AWS also uses Engagement Drills and
• Clear desk
GameDay policy
Exercises andtobreaches
procedures
train coordinators and Service Teams in their roles and
•• Target
responsibilities.
User awareness
Social and unacceptable
engineering, of informationlevelsand
phishing, security
of malware
service responsibilities
(e.g., SLA, Operationaland issues Level Agreement
•• Data
[OLA]) Arrangements
handling and for reporting,
protectionnotification, and investigation of information security
PR.AT-4: Senior executives understand · CIS CSC 17, 19 AT-3 •incidents
AWS Service
Compliance and
has continuitysecurity
implemented
commitments breaches
requirements
formal, documented
(e.g., Recovery security Time awareness
Objective and [RTO]),
traininginpolicy
roles & responsibilities · COBIT 5 EDM01.01, APO01.02, PM-13 •• Security
accordance
and
Role-based
Target and
procedures unacceptable
with that
precautions
training AWS address
is while levels
business
provided.purpose,of service
priorities
traveling
Much scope,
of
(e.g.,
thisroles, SLA, Operational management
responsibilities,
training is provided on
Level Agreement
an ongoing
APO07.03 [OLA])
commitment,
• Protection Howvia ofcoordination
to day-to-day
report Intellectual
security andamong
Property organizational
availability Rights failures,
(IPR) entities,
and
incidents, and
copyright compliance.
concerns,
assignmentand otherThe
ofand
AWS
PR.AT-5: Physical and cybersecurity ·· CIS AT-3 basis
• Conditions Service continuity interaction.
requirements Service
(e.g.,and teams
Recovery have Time documented
Objective team-based
[RTO]), inpolicy
ISA CSC 17
62443-2-1:2009 4.3.2.4.2 AWS
security
•complaints
role-based
hasawareness
implemented
tofor and
appropriate
training
formal,
training
renegotiation/termination
pages personnel
that
documented
policy
provide new of security
procedures awareness
the agreement.
employees, are reviewed
contractors
and training
and
and updated
vendors at
with
personnel understand roles & ·· COBIT
ISO/IEC527001:2013
APO07.03 A.6.1.1, A.7.2.2 IR-2 accordance
and
•AWS
least Howprocedures
has
annually, withor
implemented
to recognize AWS
that
sooner business
address
formal,
if required
suspicious priorities
purpose,
documentedscope,
due
communications roles,
security
totraining
information
and responsibilities,
awareness
system
anomalous andmanagement
changes.
behaviortraininginjobpolicy
The
the
•organizational necessary
Protection role-based
ofcoordination
Intellectual security-related required to execute their
responsibilities ·· ISA
NIST62443-2-1:2009
SP 800-53 Rev.4.3.2.4.2
4 AT-3, PM-13 PM-13
commitment,
and
is
Role-based
functions. procedures
disseminated trainingthat
throughaddress
information
is theProperty
among
purpose,
internal
systems
provided. Much
Rights
organizational
scope,
Amazon
of
(IPR)
thisroles, and copyright
entities, andportal
responsibilities,
communication
training is provided
assignment
compliance.
management
on
of AWS
The
toanallongoing
employees,
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • Conditions
security awarenessfor renegotiation/termination
and training topolicy and of the agreement.
procedures are and
reviewed and updated at
•commitment,
vendors,
basis Practical
via and coordination
contractors
exercises
day-to-day that among
prior
reinforce
interaction. organizational
receiving
training
Service authorized
objectives
teams haveentities,
access
documented tocompliance.
the information
team-based Theand
Data Security PR.DS-1: Data-at-rest is protected · CIS
NISTCSC 13, 14 Rev. 4 AT-3, IR-2, PM-13 AWS Certifications, AWS Encryption Services MP-8
SP 800-53 N/A annually,
least or sooner if required dueand to information system changes. The policy
•security
system
role-based orawareness
performing
International Traffic
training and
pagesintraining
assigned
Arms
that policy
duties.
Regulations
provide new procedures are
(ITAR) responsibilities
employees, reviewed
contractors andvendors
and updated at
with
(PR.DS): Information · COBIT 5 APO01.06, BAI02.01, BAI06.01, (KMS/EBS/S3/EC- is
least
AWS disseminated
annually,
has developed, orthrough
sooner the internal
if required
documented, Amazon
due
and communication
totraining
information
disseminated system
security portal
changes.
awareness to all employees,
The
and policy
and records (data) are DSS04.07, DSS05.03, DSS06.06 2/RDS/REDSHIFT/DYNAMO DB), Customer
• Contingency
the
vendors, necessaryand
planning
role-based
contractors security-related
prior to receiving authorizedrequiredaccess to execute
to their
the information jobrole-
is
based
• Incident
functions. disseminated
security
response throughfor
training the internal
personnel Amazon
responsible communication
for designing, portal to all employees,
developing,
managed consistent · ISA 62443-3-3:2013 SR 3.4, SR 4.1 Responsibility system
vendors,
implementing, orand
performing
contractors
operating, assigned
prior toduties.
maintaining,receiving and forauthorized
monitoring access
AWS to the information
systems. Training
AWS captures and retains training records at least five years.
with the organization’s · ISO/IEC 27001:2013 A.8.2.3 AWS
system
includes, has developed,
orbut
performing
is not limited documented,
assigned
to, the and disseminated
duties.
following information security
(when awareness
relevant and to the role-
risk strategy to protect · NIST SP 800-53 Rev. 4 MP-8, SC-12, SC- based has
AWS
employee’s security trainingdocumented,
developed,
role): for personnel andresponsible
disseminated for designing,
security awareness developing, and role-
the confidentiality, 28 implementing,
based
• Workforce securityconductoperating,
training formaintaining,
personnel responsible
standards and monitoring AWS systems.
for designing, developing, Training
integrity, and SC-12 includes,
implementing,
AWS
• Candidate butbackground
establishes is operating,
not andlimited
manages to, the
maintaining,
screening following
cryptographic information
and monitoring
procedures keys for requiredAWS(when relevant
systems.
cryptography to the
Training
availability of employee’s
includes,
employed but role):
within
is customer
not thelimited
system to,boundary.
theandfollowingAWSinformation
produces,
information. SC-28 • Cleartreats
•AWS
desk policy
all and procedures
content associated assets ascontrols,
(when
highlyrelevantand distributes
confidential. to theAWS
• Workforce
employee’s
symmetric Socialservices conduct
role):
cryptographic
engineering, standards
keys
phishing, using inU.S.
and malware thatNational Institute of Standards
high level and
PR.DS-2: Data-in-transit is protected · CIS CSC 13, 14 AWS Certifications, AWS Encryption Services SC-11 •Cloud
N/A
• Candidate
Technology Workforce
are content
background
conduct
(NIST)-approved
agnostic
screening
standards procedures they offer the same of security
· COBIT 5 APO01.06, DSS05.02, DSS06.06 (KMS/CloudHSM/EBS/S3/EC- •to
Data handling
all customers, and protection
regardless of key management
the type of contenttechnology
being stored. andWe processes in theabout
are vigilant
SC-12 • Clear
AWS desk background
establishes
Candidate
information
Compliance policy andand
system.
commitments procedures
manages
screening
An cryptographic
procedureskeys
AWS-developed for required
secure key and cryptography
credential andmanager
physicalis
· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 2/RDS/REDSHIFT/DYNAMO DB), AWS ELB, •our
employed
• Clear
used
customers’
Social engineering,
to desk within
create,
security
policy the
protect,and
and
phishing,
system
and
have and implemented
boundary.
procedures
distribute malware
AWS has
sophisticated
produces, controls,
technical
and distributes
4.1, SR 4.2 Customer Responsibility •measures
Security
Data
precautions
against
handling
while
unauthorized
and protection access.symmetric
traveling AWS keys and
no insight isasused to secure
to what type andof
symmetric
• Social
distribute: How tothe cryptographic
engineering,
report security keys
phishing,
and tousing
and
availability U.S.
malware National
failures, Institute
incidents, of Standards
concerns, and
andcomplete
other
· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, •content
Technology Compliance customer
commitments
(NIST)-approved
chooses store in AWS, and the customer retains
A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
•complaints
•control
Data handling
AWS
Security
credentials
of how andneeded
to appropriate
they
precautions
protection
choose
while
on classify their content, where it is stored, howinitthe
key
hosts
personnel
totraveling management technology and processes is
AWS
• RSA information
Compliance
Howand public/private
howcommitments
to recognize system. An
keys from
suspicious AWS-developed
communications secure key and
and anomalous behavior in credential manager is
· NIST SP 800-53 Rev. 4 SC-8, SC-11, SC- •used,
used
•organizational How to to
Security
X.509 report
create,
itsecurity
is protected
protect, andanddistribute
disclosure.
availability failures,
symmetric incidents,
keys and is concerns,
used to and
secure other
and
12 AWS
complaints hascertificates
precautions
information
implemented
to appropriate
while
data traveling and classification requirements that provide
systems
handling
personnel
distribute:
• How
Cryptographic
specifications to report
Practical keys
exercisessecurity
around: are
thatsecurely
and availability
reinforce stored
training and
failures,
periodically
objectivesincidents, rotated.
concerns, and other
••complaints
• Data How
AWS to recognize
credentials
International suspicious
needed
to appropriate
Traffic in Arms on communications
hosts
personnel and
Regulations (ITAR) responsibilities anomalous behavior in
encryption
•organizational
•• RSA How public/private
to recognize
Contingency
Content
information
planning
inexercises
transit keys systems
suspicious
and communications and anomalous behavior in
Practical
•organizational thatduring
reinforce storage
systemstraining objectives
•• X.509 Incident
Access certificates
response information
•••AWS International
Cryptographic
Practical
captures
Retention
Traffic
keys
exercises are insecurely
that
and retains Arms
reinforce
trainingRegulations
stored
training
records andfor (ITAR)
periodically
objectives
at least responsibilities
fiverotated.
years.
••• International
Contingency
Physical response
planning
Traffic
controls in Arms Regulations (ITAR) responsibilities
SC-8 ••AWSIncident
• Contingency
Mobile
seeks devices planning data integrity during transmission, storage, and processing
to maintain
•AWS captures
Incident
• Handling
of response
customerrequirements
and retains training records for at least five years.
content. AWS treats all customer content and associated assets as
AWS captures and retains training records
critical information. AWS services are content agnostic in that for at least five years. they offer the same
high level of security to all customers, regardless of the type of content being stored.
We are vigilant about our customers’ security and have implemented sophisticated
technical and physical measures against unauthorized access. AWS has no insight as
to what type of content the customer chooses to store in AWS, and the customer
retains complete control of how they choose to classify their content; where it is
stored, used, archived; and how it is protected from disclosure.
Customer-provided content is validated for integrity, and corrupted or tampered data
is not written to storage. Amazon S3 uses checksums internally to confirm the
continued integrity of content in transit within the system and at rest. Amazon S3
provides a facility for customers to send checksums along with data transmitted to
the service. The service validates the checksum upon receipt of the data to determine
that no corruption occurred in transit. Regardless of whether a checksum is sent with
an object to Amazon S3, the service uses checksums internally. When disk
corruption or device failure is detected, the system automatically attempts to restore
normal levels of object storage redundancy. External access to content stored in
Amazon S3 is logged, and the logs are retained for at least 90 days. The logs include
relevant access request information, such as the accessor IP address, object, and
operation.
Like Amazon S3, Amazon Elastic Block Store (Amazon EBS) employs redundant
storage and data validation. To prevent data loss due to failure of any single
hardware component, each Amazon EBS volume is automatically replicated within
the same Availability Zone. Amazon EBS also provides the ability to create point-
in-time snapshots of volumes, which are persisted to Amazon S3. These snapshots
can be used as the starting point for new Amazon EBS volumes and to protect data
for long-term durability.
PR.DS-3: Assets are formally managed · CIS CSC 1 AWS Certifications, AWS Best Practices, AWS CM-8 In order to ensure asset management and inventory maintenance procedures are
throughout removal, transfers, and · COBIT 5 BAI09.03 Reference Architectures, AWS Trusted Advsior, properly executed, AWS assets are assigned an owner and are tracked and monitored
disposition · ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1 AWS CloudFormation, AWS Config, AWS with AWS proprietary inventory management tools. AWS asset owner maintenance
· ISA 62443-3-3:2013 SR 4.2 ConfigRulesAWS CloudTrail, Customer procedures are carried out by using a proprietary tool with specified checks that
MP-6 Data destruction: Content on drives is treated at the highest level of classification
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, Responsibility must be completed according to the documented maintenance schedule.
PE-16 per AWS policy.
Environments used Content
for isdelivery
destroyed on storage devicesare as part of theby authorized
A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7 AWS has developed andthedocumented of anthe AWS services
inventory of systemsmanaged and devices within the
decommissioning
personnel and Boundary. process in
are located in anaccordance
AWS with AWS
managed data security
centers. Media standards. handling controls
PR.DS-4: Adequate capacity to ensure · NISTCSC
CIS SP 800-53
1, 2, 13Rev. 4 CM-8, MP-6, PE- AWS Reference Architectures & Best Practices, AU-4 Authorization
AWS deploys monitoring devices throughout the environment to collect critical
AWS
for thehosts are
datadeveloped
centerssecurely are wiped orby overwritten prior to provisioning forMedia
reuse. AWS
availability is maintained ·16 COBIT 5 APO13.01, BAI04.04 AWS Trusted Advisor, AWS S3, Customer CP-2 AWS
information
The AWShas on unauthorized
Business andmanaged
Continuitydocuments policyanand
intrusion AWS in alignment
inventory
attempts,
lays out the of
usage with
guidelines AWSthe
theabuse, and
used
AWS
Authorization
network
to implement and
media
Protection is securely
Policy. wiped
This or degaussed
policy includes physically
procedures destroyed
around access, prior to leaving
marking, storage,
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 Responsibility Boundaries
application
procedures for Govcloud
bandwidth usage.and East
Monitoring West separately.
devices are For continuous
placed within monitoring
the AWS
SC-5 AWS operates,
AWS
transporting, securetozones. respond
and manages,
sanitation.to aand seriouscontrols outage the or degradationcomponents,
infrastructure of AWS services, from 3PAO including
the hostfor
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1 activities,
environment
the validate
recovery AWS to
model provides
detect and and a system
monitor
its wipe
implications inventory
for: ondown to our
the procedures,
business FedRAMP continuity accrediated
plan.
To
operating AWS’s
system and secure
virtualization processes
layer and to the third-party auditors
PR.DS-5: Protections against data leaks · CIS
NISTCSC 13
SP 800-53 Rev. 4 AU-4, CP-2, SC-5 Customer Responsibility for protection may be AC-4 •validation
SeveralPort on a monthly
network
scanning fabrics
attacks basis.atOnce
exist Amazon, validated,
each this listphysical
separated is by
provided security
boundary to our of the
protection
review
facilities theinguidance
which the within the operate.
AWS media protection policy, observe degaussing
are implemented · COBIT 5 APO01.06, DSS05.04, DSS05.07, facilitated/enabled by employing AWS services Live
Authorizing
•devices
Usage
equipment
media that
(CPU, transported
and
Official(s).
control
Processes,
secure theservices
outside
flow
shred disk of Data
ofutilization,
bins information AWS
center
located within
endpoints
secure
between
swap zones
rates,fabrics.
AWS andareerrors
tested
is
facilities,
escorted
The assoftware
inflow
and
part
byof
of
review
AWS
authorized
DSS06.02 to automatically detect, alert, contain and AC-5 compliance
personnel.
Privileged
AWS
information
generated providesloss)vulnerability
access an to
between AWS
inventory
fabrics scans.
systems
to
is is assigned
our FedRAMP
established by based on authorizations,
accredited
approved least
3PAO privilege,
for approved
validation
which andby
exist as
Refer to
historical
AWS the
ticketsfollowing
that trackedAWS Audit Reports
the destruction for
and additional
removal details:
of storage PCI 3.2,
media ISO
from the
· ISA 62443-3-3:2013 SR 5.2 respond to events and/or incidents and report as AC-6 an
•part
as ACLofCloud
authorized
AWS’
Application
Privileged
27001, residing
ISO access
services
individual
security
27017, on
performance are
these
toNISTAWS
managed
prior
assessment
devices.
metrics
systems
800-53,
to access in
and
ACLs a on
manner
provisioning,
a monthly
2 are
is assigned
SOC COMMON
that
defined, preserves
based basis, and
approved
on least
CRITERIA
their
assigned
supports confidentiality,
acontinuous
different
by appropriate
privilege, approved userby
environment.
integrity, and availability. AWS has
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, required and perform leak mitigation - examples •AWS
ID than
monitoring
Amazon’s
an
has used
Unauthorized
authorized
developed
for
Information normal
requirements.
connection
individual
andSecurity
has
business
prior
documented
Additionally,
attempts
to use.implemented
team,
access Duties
AWS'
and an inventory
and
managed secure
areas
inventory
provisioning, and of
and issoftware
systems
ofdeployed
responsibility
validated
assigned
development
and
using
a by devices
(e.g.,
our
AWS’s
different 3PAOaccess
user
PE-19 Data
N/A deletion
procedures
within the that
system forareblockfollowed
boundary. device to
The based
ensure storage
inventory thatthe (e.g.,
appropriate
is stored Amazon security
in approval,
Amazon’sEBS,controls
Amazon
Infra areRelational
proprietary
A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, are services such as AWS GuardDuty, AWS request
and
ACL-management
AWS
ID than and
provided
provides
used approval,
tonear
for our
normal change
Authorizing
tool.
real-timebusiness management
alertsOfficial(s)
use.whenDuties request
onand
AWS and
a monthlymonitoring
areas of basis. change
tools
responsibility show (e.g., access
PS-3 Database Service
incorporated
Background
database. into
checks [Amazon
the application
are RDS],design.
performed ephemeral
as part Asof drives):
part
AWS’s Inapplication
of between
the
hiring order to ensure
verification design thatprocess,
processes.
A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, Macie, AWS Security Groups, VPC, Config, development,
Approved firewall testing and deployment) are segregated across different individuals to
indications
request
customer
new
and of
content
applications isrule
compromise
approval,
must
sets
change
properly and
or
participate
access
potential
management
erased, AWS control
compromise,
ininformation
request
wipes lists and based
underlying approval,network
upon
storagethreshold
change fabrics
inmedia
restrict
alarming
upon re-
A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, ConfigRules, Cloud Watch, CloudTrail, PS-6 Background
reduce
the
The flow
AWS
mechanisms
development,
provisioning ofHuman checks
opportunities
information
determined
testing
rather
include
for
Resources
andto
than
an
by education,
unauthorized
specific
AWS team
deployment)
upon is an AWS
previous
areor
responsible
service
de-provisioning. and Security
employment,
unintentional
system review,
for screening
Security
segregated
Processes services.
teams.
across that
which
and,
modification
AWS
ACLs
different
wipe
includes
some
new or misuse
and cases,
hires
rule
individuals
content uponin
of
setsto
A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, CloudFormation, Lambda, SNS, SQS, Big Data SC-13 registering
criminal
AWS
are
accordancelimitsand
systems.
reviewed the
with application,
access
other
and background
to
tocorporate
approvedsystem initiating
output
checks application
devices
as permitted
to risk
only by classification,
authorized
law and areparticipating
regulation
persons, in for
alignment in
External
reduce
AWS
release is access
opportunities
ofdesigned
an asset data
to protect
(e.g., anpolicy.
forstored and
thein are
unauthorized
volume, Employees
automatically
Amazon
confidentiality
object) or
are isare
S3unintentional
less and pushed
required
logged. The
integrity
reliable totoboundary
ofreview
logs
modification
than transmitted
processes and
protection
retained sign
orthatmisuse
data an at
for of
A.14.1.3 & Analytics, Machine Learning etc. architecture
with
employees
devices AWS
employment
least 90 on
days review
access
acommensurate
periodic
contract and
andstorage and
include basis
to threat
authorization
with
acknowledge
(at
relevant modeling,
the
least employee’s
request
every
access theirperforming
24 procedures.
position
responsibilities
requesthours) tocode and
AWS
ensure
information review,
level
for employs
rule and
of
compliance
such sets
asany performing
access
various
and
the toonly
with
dataaccessAWS re-
a
SC-31 AWS
through
provision
N/A lists systems.
the cleancomparison of
to a cryptographic
customers. Physical hash of
servers data cantransmitted.
reboot at This is
time done
for to
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC- penetration
mechanisms
facilities.
control
company test.
to detect
standards
are up theinformation
addition ofsecurity
unauthorized systems and devices into the
accessor
help
many ensure IP
reasons address,
that theto
(e.g., and date.
object,
message
power andis not
outage, operation.
corrupted
system requirements.
or altered
process in transit.
interruption or Data thatwhich
failure), has been
6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC- SC-7 system
Several
AWS personsboundary.
network
implements To
fabrics prevent
exist connections
at Amazon, of must,
each unauthorized
inseparated devices,
byaccount’s
boundary all protection
vacant ports
All requests
corrupted
might leave orworking
to KMS
altered
acontrol
wiping least
inwith
are privilege
transit
procedureAWS
logged information
throughout
and
is immediately
in an available
incomplete its infrastructure
the
rejected. atAWS
state.a AWS
minimum,
Customers components.
provides meet
doAWS thehave
several
not screening
AWS
31, SI-4 SC-8 in network
devices
prohibits
process
CloudTrail
AWS that
for
seeks all devices
pre-employment
ports
bucket
to maintain are
and
in the disabled
flow
protocols
Amazondata ofS3. by
background
that
integrity default.
information
The do not
checks
logged
during between
have and fabrics.
a specific
requests
transmission, sign The
a storage,
provide business flow
Non-Disclosure ofprocessing
purpose.
information
and AWS
about
methods
access to for
block customers
devices to
or securely
physical handle
media their
that data:
was previously used to store another
information
follows between fabrics is established by approved authorizations, which as exist
SI-4 •Agreement
who
of
AWS made
customer
Upon a rigorous
the
initial
deploys (NDA) request
content. approach
prior
communication
monitoring AWSandtodevices
being
to
under
treats minimal
with granted
which
all implementation
CMK
atcustomer
an access
AWS-provided
throughout and toenvironment
content
the AWS
will ofinformation.
also
and
Windows only
describe
associated
to those
Amazon features
All
information
assets personnel
Machine and
customer’s
as ACL
supporting
functions
about
critical the that
AWS
content.
residing
systems
information. are on Wiping
these
and
essential
resource AWS devices
that
blocks
devices.usewithin
tosecure
was
services ofACLs the
the
timedefined,
aresystem
theattempts,
protected
are device.
content
capacity
through Network
agnostic theapproved
boundary must
inscanning
use of
that bycollect
is re-provisioned
the
they appropriate
sign
isterminal
CMK.
critical
is
an These
NDA
performed,
offer the
sufficient
sameprior
and
log
Image
information(AMI), AWS
onthe enables
unauthorized intrusion communication usage by configuring services
W W SC-16 to
N/A
any
ensure
Amazon’s
to being
events
high
that
unnecessary
level
are Information
granted
of
visible
previous
access.
ports
security toor
togenerating
the
content
Security
protocols
customer
all customers,team, cannot
in use
after and be
are
regardless
turning
recovered
managed
corrected.
on of AWSandabuse,
the
from
deployed
type
aand
CloudTrail
new network
of content
volume
using
in theirAWS’s
being
andor
W W W on the
object. instance
application
ACL-management
and
bandwidth tool. usage. a unique
Monitoring self-signed
devices areX.509
placed server
within certificate W account.
and stored.
We
Data are
delivering vigilant
deletion the for about
certificate’s
non-block our customers’
thumbprint
device security
to the For
services: andservices
user haveaimplemented
over trusted
such as channel.
Amazon sophisticated
S3 or
W W W Approvedand
technical firewall physical rulemeasures
sets and access against control
unauthorizedlists between access. network
AWS fabrics
has noobjects restrict
insight as
• AWS further
Amazon DynamoDB, enablescustomerssecure communicationnever see an with Linux
attached block AMIs device,by configuring
only
thewhat
to flowtype of information
of content to specific
the customer information
chooses systeminservices. ACLs and rule sets
Secure
and the Shell
are reviewed path to (SSH)
andthat on the
object
approved
instance,
(for
andexample a tabletoor
generating
are automatically
astore
unique
an item).
pushed
AWS,
host-key
to When
and
boundary a the
and customer
delivering
customer
protection
the
deletes
retains
key’s
an asset complete
fingerprint
in these control
to the user
services, of how overthey choose
a trusted to classify
channel. their content; where it is
devices
stored, on
used, a periodic
archived; basisthe (atdeletion
least isevery
of the24 mapping
hours) to between
ensure rule an asset
sets and identifier
accessor
Customer
key and theMaster
underlying Keys and (CMKs)
content how itused
begins protected
for
immediately. from disclosure.
cryptographic Once operations
the mapping in AWS is Key
removed,
control lists are up tocontent
Customer-provided date. is validated for integrity, and corrupted or tampered data
Management
the content is Service
no longer (KMS),
accessible including and cannotoperations by AWSby employees, are secured
AWS
is not implements
written least privilege
to storage. Amazonthroughout S3 itsbeinfrastructure
uses checksums
processed
internally
an application.
components.
to confirm AWS
the
byW both technical and operational controls. By design,
Wa specific no individual AWS employee
prohibits all
continued ports and
integrity protocols that
of content do within
not have business purpose.
AmazonAWS
can gain access to the physicalinCMK transit material in thethe system
service and dueat torest.hardening S3
follows aarigorous
provides approach to minimalto sendimplementation ofwith
onlydata thosetransmitted
features and
techniques facility such as for never customers
storing W plaintext checksums
master keys alongon persistent disk, using but to
functions
the that areservice
essential to use the of the device. Network scanning isdata
performed, and
not service.
persisting The them validates
in volatile memory, checksum
and limiting uponwhich receipt of the
users and to determine
systems can
any unnecessary
that no corruption ports or protocols in use are corrected.
connect to service occurred hosts. In addition,in transit. Regardless
multi-party of whether
access controls a checksum
are enforced is sent forwith
an object toonAmazon
operations S3, the service
the KMS-hardened uses checksums
security appliances internally.
that handleWhen plaintext diskCMKs in
corruption
memory. or device M failure is detected, the system automatically W attempts W to restore
normal levels of object storage redundancy. External access to content stored in
Amazon S3 is logged, and the logs are retained M for at least 90 days. The logs include
relevant access W request information, such as the accessor IP address,M object, and
operation. W
PR.DS-6: Integrity checking · CIS CSC 2, 3 AWS Certifications, AWS Resource Tagging,
mechanisms are used to verify software, · COBIT 5 APO01.06, BAI06.01, DSS06.02 AWS Config, AWS Config Rules, AWS Cloud
firmware, and information integrity · ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR Formation, AWS CloudTrail, AWS CloudWatch
3.4, SR 3.8 Logs, Customer Responsibility
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1,
A.14.1.2, A.14.1.3, A.14.2.4 SI-7 AWS seeks to maintain data integrity during transmission, storage, and processing
PR.DS-7: The development and testing · NISTCSC
CIS SP 800-53
18, 20 Rev. 4 SC-16, SI-7 AWS VPC, Security Groups, ACL's/Customer CM-2 of customer
AWS has establishedcontent. AWS formaltreats policies all customer
and procedures contenttoand associated
provide employees assets with as a
environment(s) are separate from the · COBIT 5 BAI03.08, BAI07.04 Responsibility, AWS EC2, AWS IAM, AWS critical information.
common baseline forAWS information servicessecurity are content standards agnostic andinguidance.
that theyThe offerAWS the same
production environment · ISO/IEC 27001:2013 A.12.1.4 CloudTrail, AWS CloudWatch, AWS S3, high level ofSecurity
Information security Management to all customers, System regardless
(ISMS)ofpolicy the type of content
establishes being stored.
guidelines for
· NIST SP 800-53 Rev. 4 CM-2 AWS SNS, AWS Config, AWS AutoScaling, We are vigilant
protecting about our customers’
the confidentiality, integrity, security and have implemented
and availability of customers’sophisticated systems and
AWS Lambda, AWS ELB, AWS RDS technicalMaintaining
content. and physicalcustomer measurestrust against and unauthorized
confidence is access. of the utmost AWS has no insight
importance to as
to what type of content the customer chooses to store in AWS, and the customer
AWS.
retainsworks
AWS complete to comply controlwith of how they choose
applicable federal, to classify
state, and their
local content; where it is
laws, statutes,
stored, used,and
ordinances, archived;
regulations and how it is protected
concerning security, from disclosure.
privacy, and data protection of
Customer-provided
AWS Cloud servicescontent in order is tovalidated
minimize forthe integrity, and corrupted
risk of accidental or tampered data
or unauthorized
is not written
access or disclosure to storage. of customer Amazoncontent. S3 uses checksums internally to confirm the
continued integrity of content in transit within the system and at rest. Amazon S3
provides a facility for customers to send checksums along with data transmitted to
PR.DS-8: Integrity checking · COBIT 5 BAI03.05 SA-10 AWS
the service. Service The teams service create administrator
validates the checksum documentation upon receipt for their of the services
data toand store
determine
mechanisms are used to verify hardware · ISA 62443-2-1:2009 4.3.4.4.4 SI-7 the
thatdocuments
AWS noseeks
corruption in internal
to maintain occurred dataAWS document
inintegrity
transit. Regardless
during repositories. of whether
transmission, Using a these
storage,checksum documents,
and is sent with
processing
integrity · ISO/IEC 27001:2013 A.11.2.4 teams
an customer objectprovide initial AWS training to new teamchecksums
members that covers their job duties,as on-
Information PR.IP-1: A baseline configuration of ·· CIS
NISTCSC 3, 9, 11Rev. 4 SA-10, SI-7
SP 800-53 CM-2 of
AWS
call has to Amazon
content.
established
responsibilities,
S3,
formal
service
thetreatsservice
policies
specific
uses
all customer
and procedures
monitoring
content
metrics
internally.
toand associated
provide
and alarms,
When
employees disk
assets
along with
with a
the
Protection Processes information technology/industrial · COBIT 5 BAI10.01, BAI10.02, BAI10.03, corruption
critical information.
common or
baseline device failure
forAWS information is detected,
servicessecurity are contentthe system
standards agnosticautomatically
andinguidance.
that theyThe attempts
offerAWS to
the same restore
CM-3 intricacies
AWS
normal
high level applies
levels of security
of the
aofsystematic
service
object they
tostorage
all approach
are supporting.
redundancy.
customers, to regardless
managing Oncechange
External trained,
ofpolicy
theaccess to service
type ensure
to
ofcontent
contentthat
teamstored
allmembers
being changesin
stored.
and Procedures control systems is created and BAI10.05 Information
can
are reviewed,
assume Security
on-call Management System (ISMS) establishes guidelines for
(PR.IP): Security maintained · ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 CM-4 AWS
Amazon
We
protecting areemploysS3the
vigilant is tested,
aabout
shared
logged, duties
and
confidentiality, and
our approved.
and
responsibilitybe
the integrity,
customers’logs pagedThe
are into
modelAWS
retained
security anfor change
and
and availability
engagement
fordata
have management
at ownership
least 90asdays.
implemented
of
a and
customers’
resolver.
approach
security.
The In addition
logs
sophisticated
systems AWS
include
and
to
requires
operates,
relevant
technical the documentation
that
manages,
access
and the following
request
physical and stored
controlssteps
information,
measures in the be
the repository,
againstcomplete
infrastructure
such as before
the
unauthorizedAWS also
a access.
change
components,
accessor uses
IP Engagement
isfrom
address,
AWS deployed:
hasthe
object,
nohost Drills
and
insight and
as
policies (that address · ISA 62443-3-3:2013 SR 7.6 CM-5 AWS
content.
GameDay
1. applies
Document Maintaining
Exercisesa systematic
and customer
communicate
to train approach trust
coordinators
the change to managing
and confidence
and
viato Service
the changeis Teams
of the
appropriate to ensure
utmost that all changes
importance and to
operating
operation.
to
are what type
reviewed, system of and
content virtualization
the customer layer
chooses down to the
store in AWS,inAWS
physical their
security
and thechange
rolesof the
customer
purpose, scope, roles, · ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, CM-6 AWS.
AWS
management
responsibilities.
facilities appliesin which atested,
tool. systematic and
the services
approved.
approach operate.
The AWS
to managing changechange management
to ensure that approachall changes
responsibilities, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 Like
retains
requires
AWS Amazon
complete
worksthat the
to S3, Amazon
control
following
comply with Elastic
of steps
how beBlock
they
applicable choose
complete Store
federal, to (Amazon
beforeclassify
state, aandchangeEBS)
their
local employs
content;
isto deployed:
laws, where redundant
statutes, it is
CM-7 are
2.
AWS reviewed,
Plan implementation
implements tested, the and ofapproved.
least the change
functionality The and AWSrollback
principle change management
procedures
throughout its approach
minimize
infrastructure
storage
stored,
1. Document and
used, data
archived;validation.
andregulations
communicate and To
how prevent
it
the is data
protected
change loss
viabeforefrom due
theprivacy, to failure
disclosure.
appropriate of any single
management · NIST SP 800-53 Rev. 4 CM-2, CM-3, CM- ordinances,
requires
disruption.
components. thatand
Services the infollowing
Network production devices concerning
steps and beservers
complete security,
are implemented ain change andwith isAWS
data deployed:
minimal
change of
protection
commitment, and 4, CM-5, CM-6, CM-7, CM-9, SA-10 CM-9 hardware
Customer-provided
AWS
management
AWS has
Cloud component,
established
tool.
services each
content
and isoperations
Amazon
maintains validated EBSfor are
company-wide managed
volume
integrity, anda corrupted
isofpolicy
automatically manner
that AWS orthat
defines or preserves
replicatedroles, within
tampered their
data
1.
3.
functionality, Document
Test theAvailability
change and
and in ain
communicate
service order
logically
teams to minimize
the change
segregated,
add the
via risk
the
non-production accidental
appropriate environment. unauthorized
change
coordination among SA-10 confidentiality,
the
is
responsibilities
2.
access
AWS same
not
Plan written
implementation
or
Service disclosureto integrity
storage.
and
teams Zone. and
ofAmazon
classifications
of
createcustomer the availability.
Amazon
change
administrator S3foronly
content. EBS
uses software
AWS
managing
and also
checksums
rollback
documentation has
providespackages
implemented
changes the
internally
procedures to the and
ability toservices
secure
to create
confirm
toproduction
minimize needed
software
thepoint- for
management
4.
the
development
in-time
continued
environment. Complete
device snapshots
tool.
toaperform
integrity peerofreview
procedures
Changes its
ofvolumes,
content AWS of
tooffunction.
that the
are
which
in change
followed
transit
services with
arewithin
persisted
and athe
to features
ensurefocus on for
toappropriate
system Amazon
follow businesstheir
andsecure
services
impact
at security
S3. These
rest. Amazon
software
and
and
controls
snapshots
store
S3 are
organizational entities), disruption.
the
2.
technical documents
Plan implementation
rigor. inThe internal
review AWS
the
should document
change includeand repositories.
rollback
a part
code procedures
review. Using these
toby documents,
minimize
PR.IP-2: A System Development Life · CIS CSC 18 AWS Certifications, AWS Best Practices, AWS PL-8 AWS
incorporated
can
provides
development be gives
used a customers
as into
facility the
practices, the
for ownership
application
startingcustomers
which point for
to
include and
design.
new
send control
a As
Amazon
checksums
security over of their
EBS
risk the
along content
application
volumes
review with prior and
data to design
design
to protect
transmitted
launch. through
process, data
to
processes, and 3.
5. Test
teams
disruption. Attain theapproval
provide change initial in training
for athelogically
change toallowsegregated,
new by team
an non-production
members
authorized that covers
individual. environment.
theirtheir job duties, on-
Cycle to manage systems is · COBIT 5 APO13.01, BAI03.01, BAI03.02, Reference Architectures, AWS Trusted Advsior, SA-10 simple,
new
for
the
AWS service.but powerful
applications
long-term
Service The teams must
durability.
service tools
create that
participate
validates
administrator in
the customers
an AWS
checksumdocumentation to determine
Security
upon review
receiptfor where
including
their
of the services
data tocontent
registering
and
determine
store
procedures are 4.
call Complete
responsibilities, a peerinreview ofspecific
thesegregated,
change with a focus on and business impact and
implemented BAI03.03 AWS CloudFormation, AWS Config, AWS 3.
In Test
will
that
the
AWS order the
to change
bedevelopers
stored,
application,
documents
no validate
corruption how
in itservice
that
initiating
internal
awill
occurred
that
logically
changes
require bein
the
AWS secured follow
application
transit.
document
access
monitoring
toin the
transit
risk
Regardless standard ormetrics
non-production
classification,
repositories.
production of change
atenvironments
rest,
whether Using
alarms,
environment.
management
andparticipating
aaccess
these
checksum
must
along
to their
documents, is
explicitly
with
AWS
inchanges
the
sent
the
with
maintained and used to SA-11 technical
AWS
intricacies
4.
procedures, applies
Complete rigor.
ofall apeer
the
awill The
systematic
service
changes review
review tothey should
approach
of
the are
the
AWS include
to
supporting.
change managing
with
environment a codeOnce
a focus review.
change
are trained, to service
on business
reviewed ensure on that
team
impact
at least allmembers
and
a monthly
· ISA 62443-2-1:2009 4.3.4.3.3 ConfigRulesAWS CloudTrail, Customer environment
architecture
an
teams review managed.
and threat modeling, performing code review, and performing on-a
manage protection of · ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, Responsibility SA-12
request
5.
to
can
technical
Key
basis. aobject
Attain provide
assume
suppliers
to on-call
access
Anapproval
production rigor.
audit
Amazon initial
through
areThe
trail for
environment training
S3,
dutiesthe
review
identified
of
the
the
the AWS
change
and service
to
are
should
and
changes benew access
paged
chosen
uses
team
byinclude
reviewed, an checksums
into
ismonitoring
maintained
members
management
authorized
foratested,
an
code
their and
engagementthat
review.
ability
for
internally.
covers
system,
individual.
a approved.
to
least provide
one atheir
ashave When the job
Facilities,
resolver.
year.
disk
AWSIn
service
duties,
access
to addition
defined
information systems penetration
corruption
call
reviewed
In
equipment,
to order
the and test.
responsibilities,
or
toapproval device
validate
documentationand approved
software service
failure
that storedby
changes is
thespecific
components detected,
appropriate
follow
inunauthorized
the of
repository, the
the system
owner,
standard
production AWS metrics
automatically
and upon
change
operations
also and
uses alarms,
approval
management
are attempts
Engagement along
obtain
identified to
with restore
Drills the
and
A.14.2.1, A.14.2.5 SA-15 5.
requirements.
maintains
AWS Attainhas
maintainsprocesses
implementedQualified
a for the
toservice
systematic detect change
suppliers
global privacy
approach, by
are an
addedauthorized
and
to to
changes
data
planning the individual.
approved
made
protection
and to
best
developingsupplier
the liststored
environment.
practices new maintained
in order
services Any to
and assets. normal
intricacies
authentication.
procedures,
throughout
GameDay
In
by order
the
levels
AWS
of all
their the
Exercises
toenvironment,
validate
of AWS object
service
changes
lifecycle to
that
storage
tothey
toto
train the
changes
are
teams
AWS
ensure redundancy.
coordinatorssupporting.
followmaintain
environment
that only
the and External
Once
service
acceptable
Service
standard are trained,
access
specific
reviewed
Teams
change
service
to
components content
change
on
incontrol
their
management atteam
least
are
roles members
managementa
used in forto
in
monthly
and
· NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4, exceptions
helping
the
Customers
Amazon
can
standards AWS
assume
AnS3
customers issupplier
are
assume
that on-call analyzed
logged,
inherit
management
establish, to
responsibility
duties
ofand and determine
ensure
and
the operate
be onthe
logs andteam.
paged
are the
and
quality Through
root
leverage
management
retained
into an cause.
and the
our
security
of
engagement
for use
atAppropriate
security
the
least of90as
guest established
a requirements
actions
aoperating
days. resolver.
The assessment
are
environment.
are met
system
logs
In taken
with
addition
include
SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI-
SA-17 AWS
basis.
production.
responsibilities.
procedures,
bring
These
each
Services
the audit
change
security all
AWS in
trail
changesproduction the
continuously
into
protections tobuild
compliance and
operations
changes
the AWS the
is
monitors
or
control roll
AWS are
maintained
environment Change
managed
suppliers
back
processes the for
are Management
toalso
change,
are
in
areviewed
least
ensure manner
if
independently
one
that onyear.
necessary.
guidelines.
that
at
they preserves
AWS
least
are
validated atomonthly
Actions by
their
are
SA-3
(including
relevant
to
confidentiality,
maintains
AWS therelease.access
documentation
maintains
AWS’
updates
processes request
integrity
a terms
strategy
andtoand
systematic
security
information,
stored and
detect for
in thethe
patches),
availability.
approach
design
such
repository,
unauthorized asand
other
AWS
toprocess
the AWS
changes
planning
development
associated
accessor
has implemented
made
and uses
to
developing
of
application
IP address,
the services
Engagement
secure
environment.
new
is
software,
object, clearly
and
Drills
software
services
asand
Any foris
12, SI-13, SI-14, SI-16, SI-17 basis.
conforming
then
multiple
define
well asAn
takenthe audit
to toaddress
third-party
services trail
specific
in
configuration of the
AWS
independentofof changes
requirements.
remediate
customer
the isthemaintained
assessments.
AWS-provideduse cases, The for
extent
or
service a least
people
security of one
assessment
issue.
performance,
group year.
firewalls AWS
for a supplier
marketing
and other and
operation.
GameDay
AWS
development
exceptions
The
the applies
development,
AWS Exercises
are
environmenta systematic
procedures
analyzed test to train
and that
to coordinators
approach
are
determine
production to
followed the and
managingto
root
environments Service
ensure
cause. change Teams
appropriate to
Appropriate
emulate in
ensure
the their that
security
actions roles
production all and
changes
controls
are taken
system are
to
SA-4 maintains
dependent
AWS
distribution maintainsprocesses
upon athe
requirements, to to
systematic detect
significance ensure approach
production that
unauthorized
ofBlock
thequality
andproduct
to andand/or
changes
planning
testing, security
made
and
and requirements
serviceto the
developing
legal environment.
purchased new areand, metwhere
services with
Any for
security,
Like
responsibilities.
to
incorporated
bring
environment
each
exceptions the change
Amazon
a production
release.change
are andS3,
into
AWS’s
management,
Amazon
environment
the
into
are
analyzed application
compliance
used
strategy toElastic
toensure are and
properly
fornew orlogging
reviewed,
design.
the roll
assess
design Store
As
back features.
tested,
part
and
and the(Amazon
ofandthe
change,
prepare
development if and
EBS)
approved.
application
for regulatory
ofemploys
necessary.
the The
impactdesign
services AWS redundant
of Change
isprocess,
Actionsametchange
to are
SA-8 applicable,
the
requirements.
storage
AWS
Management
new AWS operates,
and
applications
upon
environment
todata The previously
design
manages,
approachvalidation.
must to ofdetermine
and
requires
participate
demonstrated
all
To that
controls
prevent
that in
the
quality
services
an the
root
data
cause.
performance.
and
or
infrastructure
following
AWS loss
Securitysecurity
any
duesteps
Appropriate
significant
toservicerequirements
failure
components,
be completeof
actions
changes
any fromare
to
single
before
are
the
taken
current withto
host
a change
then
to
clearly
bring
All
each
services
hardware
operating
the taken
production
thedefine
purchased
release.change
follow
component,
system
address
servicessystem
into
materials
AWS’s secure
and
andin
strategyand
software
remediate
environment.
terms
compliance
virtualization
each forof
services
Amazon the
the
customer
or roll
development
In process
intended
design
layer
EBS
order
back
down
volume
use
and the
foror
to
cases,
to
people
reduce
change,
use
development
practices is
the inreview
and
issue.
the
if
production
automatically
physical are
including
risks
of ofprocesses
performance,
necessary.services
controlled
securityreplicated of
registering
unauthorized
Actions
is to
through
the
area
are
within
SI-12 is
the
access
AWS
marketing deployed
application,
or
treats changeto
all the to
customerproduction
initiating
the the
production
content environment:
application
and environment, risk
associated classification,
the
assets development,
as highlyparticipating test
confidential. and in the AWS
then taken
specified
clearly
project
the same inand
define
management
Availability
distribution
topurchasing
address
services and
system
Zone.
requirements,
remediate
indocuments.
terms with
Amazon ofmulti-disciplinary
customer
EBS
production
the component/material
All process
alsouse or people
cases,
provides
and testing,
serviceissue.
participation.
the
and
specification
performance,
ability
legaldocuments
Requirements
to create
and and
point-
facilities
architecture
production in which
review
environments theand services
threat
are operate.
modeling, AWS
allperformingendpoints code are tested
review, as
and part ofchanges
performing AWSthe ato
SI-13 Cloud
regulatory
are
N/Areviewed
marketing
service
in-time
services and
specifications
snapshots
areapproved
requirements.
and content
distribution areThe
ofcontrolled
volumes, bylogically
agnostic
design
management
requirements,
establishedwhich
inof separated.
that
during
are
they
new personnel
production
service
persisted
In order
offer
services
to
the
and prior
development,
Amazon
to
same
or any apply
to
testing, high
use.
S3. and changes
level
significant
Additional
taking
These legal of
into
to
security
and
snapshots
compliance
1.
penetration
AWS Document
production vulnerability
test.and communicate
environments, scans. the
AWS changeservice via the
teams appropriate
must AWS change
SI-14
to
current
requirements
regulatory
N/AbeCloud
account
can
AWS
management
all customers,
services
legal
used as not
requirements.
andthe
services
tool.
regardless
arespecified
regulatory
starting
areand The onofdesign
point
managed
the
through type
component/material
requirements,
for innewof of
a manner
content
aallproject
new
customer
Amazon
being
management
services
that EBS orfirst
stored.
specifications
contractual
preservesvolumes anytheir run
We
system areaare
significant full
with
conveyed
commitments,
and to
set
vigilant
protect
confidentiality,
of tests
multi-
changes about
via
andto
data
in
our
disciplinary
purchase the test
customers’ environment,
orders security
participation.
or the
have
Requirements testing
implemented methodology
and sophisticated
service must betechnical
specifications documented. are and physical
established
SI-16 current
requirements
forPlan
integrity,
Different
2. services
long-term and
instances
implementation to arecontracts.
meet
durability.
availability. controlled
running AWS
theon
Purchase
theofconfidentiality,through
thehassame
change
orders
a physical
project
integrity
implemented
and rollback
and/or management
and
secure
machine
contracts
availability
procedures software
are
convey
system
isolated
to what of the
with
the
development
minimize from
degree
multi-
service.each
of
measures
during
control AWS
disciplinary against
service unauthorized
development,
establishes
participation. with access.
taking
their
Requirements into AWS
suppliers account
and has
to ensure
service no
legal insight
and
quality as to
regulatory
specifications product are type
requirements,
and/or of
established
Service
procedures
other
disruption.
The
content AWS reviews
viathe the that Xen
service,
customer are
are completed
followed
hypervisor.
including
chooses toAWSas
application
to part
ensure
store is of
that
active
in theappropriate
AWS, development
in
programming the Xen
and the process.
security
community,
interfaces
customer controlsPrior
retains
(APIs),which to
are launch,
provides
complete
are labeled
SI-17 N/A
customer
service.
during contractual commitments, and requirements to meet the confidentiality,
each
incorporated
awareness
3. Test
and
control ofservice
marked thehow
the
of following
of
change
by into
thedevelopment,
they the
latest
inchoose
identifiers. requirements
aapplication
developments.
logically taking
Facilities,
to
into
must
design.
segregated,
classify In account
be content,
As
equipment,
their complete:
part
addition, legal
of
non-production
and the
the and
Amazon
where
software
regulatory
application
it is EC2
environment. design
components
stored,
requirements,
firewall
how process,
are
itresides
is
PR.IP-3: Configuration change control · CIS CSC 3, 11 AWS Resource Tagging, AWS Config, AWS CM-3 integrity,
AWS
customer
•tracked applies and
maintains
contractualavailability
standard
apeer-review
systematic of
commitments, the
contract
approach service.
review
to
and Service
and
managing
requirements reviews
signaturechange to are
processes completed
tointerface
meet ensure
the that
that as
include
all
confidentiality, part
changesthe
of
legal
4.Security
new
within
used,
development applications
Completethe
and such Risk
hypervisor
how athatitAssessment
process. must
is participate
layer,
quality-impacting
protected
Prior of between
to the
from
launch, in
change an
the
disclosure.
issues AWS
each physical
with
and
of Security
aerrors
the network
focus on
are
following review,
business
traceable which
requirements and
impact
to includes
relatedtheand
must be
processes are in place · COBIT 5 BAI01.06, BAI06.01 Config Rules, AWS Cloud Formation, AWS reviews
are
integrity,
• Threat reviewed,that
and focustested,
theavailability on protecting
and approved.
ofinitiating AWS
thepackets
service.The resources.
AWS
Service change
reviews management
are completed approach as part ofinthe
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 CloudTrail, AWS CloudWatch & CloudWatch
registering
instance’s
technical
components.
AWS
complete:
requires
development hasmodeling
that
virtual
rigor.
implemented
the
application,
The
process.
interface.
review
following datasteps
Prior
All
should
handling be access
application
includeand
complete
must pass
a code
classification
before
risk
through
review. classification,
acode
this
requirements
change
layer,participating
isanydeployed:
thus
that an provide
• Security
architecture
instance’s
•5.
specifications Attain approval design
review
neighbors around:
reviews
and
for have
the notomore
threat
change launch, by aneach
modeling, toofthat
performing
authorized theinstance
following
individual. requirements
review,
than and
other must
performing
host onbethe a
· ISA 62443-3-3:2013 SR 7.6 Logs, Customer Responsibility
CM-4 • Security
1.
complete:
penetration
Internet Document
Secure code
and
risk
test.
canandassessment
reviews
a be
communicate
treated as if the theychange are onvia the appropriatehosts.
separate
for dataphysical ownership andThe
AWS change physical
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, •AWS
• Threat
management Data employs
Security encryption
modeling
risk
testingtool.
shared
assessment
responsibility model security. AWS
SA-10 Random-Access
•Where
operates,
AWS Content appropriate,
Service
Security manages,
in transit
design teams Memoryacreate
and
reviews continuous
during(RAM)
controls storage
administrator is infrastructure
separated
deployment
the documentationusing
methodology similar
components, for ismechanisms.
conducted
their fromservicesthe to host
andensurestore
A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 2. Plan implementation
Threat modeling of the change and rollback procedures to minimize
· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA- CP-4 •••changes
operating
the
disruption.
Vulnerability/penetration
Access
documents
Secure
Security
are
code automatically
system
design in
reviews and
internal
reviews AWS
testing
built,
virtualization tested,
documentlayer and down pushed to the
repositories. to physical
production,
Using these with
security the
of the
documents, goal of
PR.IP-4: Backups of information are CIS CSC 10 The
eliminating AWSinbusiness as initial
many continuity
manual planasdetails
steps possible. the three-phased
Continuous approach that
deployment AWS to has
10
facilities
••teams
3. Retention
Testprovide
Security the
which
testing
change
the services
in training
aandlogically tooperate.
new team
segregated, members
non-production that covers their jobseeks duties, on-
conducted, maintained, and tested · COBIT 5 APO13.01, DSS01.01, DSS04.07 CP-6 developed
Within
•eliminate
Secure
Physical anycode
theto
controls
reviews
recover
single
manual AWS nature reconstitute
region of thisthere themultiple
are
process AWS infrastructure:
and automate facilities eachorenvironment.
data
step,centersallowing called service
periodically · ISA 62443-2-1:2009 4.3.4.3.9 •call
4.
Availability
responsibilities,
Complete
Security
Activation a peer
testing
and
Zones.
service
review
inNotification
Each data
specific
testing
of the
Phase
center change monitoring
is built withtoaidentical metrics
focus on and business
in aphysical,
alarms, impactalongand
environmental,
with the
CP-9 •teams
AWS Mobile to standardize
Services
devices the process
production and
isoperations increase
aare the
andefficiency
managed mannerwithtwo which
that they
preserves ofdeploy
thetheir
· ISA 62443-3-3:2013 SR 7.3, SR 7.4 •Each
intricacies
technical
and
Amazon
Recovery
security
of
rigor.
PhasetheEBS
standardsThe volume
servicereviewin and
they
an should
testingstored
are
active-active
as
supporting.
include file,
a codeOnce
configuration.
AWS
trained,
review. creates
System
service copies
team members
PR.IP-5: Policy and regulations · COBIT
ISO/IEC527001:2013
DSS01.04, DSS05.05
A.12.3.1, A.17.1.2, AWS Certifications PE-10 •code.
confidentiality,
EBS
can
•5.
The Attain
In continuous
Handling
volume
assume
AWS
Reconstitution
requirements
approval
data
integrity
forcenter
on-call Phasefor
deployment,
redundancy.
dutiesthe and
change
electrical Both
bepoweran
availability.
paged
by
entire
copies
an into release
AWS
reside
authorized
systems an are hasinprocess
implemented
the
engagement same
individual.
designed
is as
to abemanagement
aAvailability
"pipeline"
secure software
resolver.
fully
containing
Zone,
In addition
redundant
activities
"stages”.
development
however, arewhile performed
procedures by
that AWS
inare personnel
followed towho ensure are alsocleared
appropriate and authorized
security to
controlsis work are
regarding the physical operating ·A.17.1.3,
ISA 62443-2-1:2009
A.18.1.3 4.3.3.3.1 4.3.3.3.2, to
In
and
This the
order tosovalidate
documentation
maintainable
approach ensures Amazon
that
without storedchanges
that EBS
impact
AWS the replication
to repository,
follow operations,
performs can
the system AWS
standard 24survive change
hours hardware
uses
a day. Engagement
management
Power failure; to AWS itDrills not and
data
within
incorporated
suitable AWS data
into centers.
the applicationThere forare design.no alternate
Asandpart ofrecovery
data thecenters and
application in reconstitution
the sense
design of
process,
environment for organizational assets 4.3.3.3.3,
· NIST4.3.3.3.5, 4.3.3.3.6
SP 800-53 Rev. 4 CP-4, CP-6, CP-9 GameDay
procedures,
centers
efforts
traditional
AWS
new isasaprovided
in
host
applications
an allavailability
Exercises
methodicalchanges
cold/warm/hot
configuration must
to
through to tool
train
sequence,the
sites
settings
participate
coordinators
localAWS prolonged
power environment
maximizing
maintained
are
in providers.
monitored
an AWS
outages
Service
the
in application
the
Security
areIn or
effectiveness
toevent
validate
disaster
Teams
reviewed
the event
oflevel,
review
inon
acompliance of
Continuity
recovery
their
including
at roles
theleast
disruption, purposes.
recovery
of
with
aand monthly
UPS
Operations
AWS
registering and
We
responsibilities.
basis. recommend
Ansituation.
auditbackup that
trail you
of thereplicate
changes data at
is maintained the for a centers,
least inone and/or
year. create
are met · ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, units
reconstitution
(COOP)
security
the
backups.
provide
standards
application,
Amazon
efforts All
and
initiating
EBS
power
and
AWS
automatically
the
provides
or
minimizing
data critical
centers
application
snapshots
and
system
pushed are
riskessential
thattooutage
live the data loads
host
classification,
capture
time due
fleet.
the
theto
and
Firewall
participating
data storedall AWS
facility
errors and the
and
relevant
policies
onin an Any
A.11.2.2, A.11.2.3 maintains
generators
omissions.
security processes
are
controls used areandtoto detect
provide
applicable unauthorized
backup
across power
all AWSchanges
for the made
entire to the
facility. environment.
(configuration
architecture
Amazon EBS reviewfiles) are automatically
threat modeling, pushedperforming todatafirewall centers.
code devices
review,AWS personnel
every
and 24(for
performinghours.with a
· NIST SP 800-53 Rev. 4 PE-10, PE-12, PE- exceptions
Each
AWS
approved Availability
maintains arevolume
logical analyzedZone
aaccess
ubiquitousatis a designed
to
are
specific
determine
security
capable
point
ofthe
as an in
controlroot time.cause.
independent
providing
If the
environment
remote
volume
Appropriate
failure across
support
is corrupt
zone. actions
toallAutomated
regions.
other are taken
facilitiesEach as to
penetration
example, due test. to customer
system failure), or
13, PE-14, PE-15, PE-18 bring
processes the change into compliance ordataroll from
backthe ittheis deleted,
change, ifyou incan therestore
necessary. ofthe
inActions are
data
necessary.
In order
volume
center tomove
from
is built
validate
snapshots.
tothat physical, trafficenvironmental,
changes away
follow from
the standard affected
and security
change area standards
management case an a failure.
active-
then
active taken to address
configuration, andAmazon
employing remediate an EBS thesnapshots
n+1 process
redundancy orare AWSissue.
people objects to system
which IAM
procedures,
Customers
users, groups, alland
assume changes to
responsibility
roles can the beAWS and
assigned production
management
permissions, ofmodel
environment thethat
so
toare
guest ensure
only reviewed
operating
authorized on users
system at least
availability
a monthly.
(including in the
An auditand eventtrail of
of component
the changes failure.
patches),isother Components
maintained (N)
for aapplication have
least a year. at least one
can
independent access updatesAmazon
backup EBS
security
component backups. (+1), so the backup
associated
component is activeand
software, as
in the
well as the configuration of the AWS-provided security group firewalls other
PE-12 operation
The
Emergency
security, AWSchange even
data
changes if all follow
center other
management, electricalcomponents
the and power
AWS are fully
systems
incident
logging functional.
are
response
features. designed Intoorder
procedures. be fully to eliminate
redundant
Exceptions to
PE-13 single
and
the change
Each points
maintainable
AWS of failure,
management
data without
center isthis modeltoare
impact
processes
evaluated isto applied
operations,
documented
determine throughout
24the hours
and AWS,
a day.
escalated
controls that including
Power
to
must AWS tobeAWSnetwork data
and
centers
management.
implemented data is center
provided implementation.
to mitigate, through local All
prepare, monitor, power data centers
providers.
and respond are In online
the eventand
to natural serving
of disruption,
disasters traffic; orUPS no
PE-14 Each
data
units AWS is
center
provide data “cold.”
backup centerpower In iscase
evaluated
of
or failure,
critical to determine
andthere is
essential the loads
sufficient controls capacity
in thatfacility
the must
to be
enableand traffic
malicious actstothat
implemented may occur.
mitigate, prepare, Controls
monitor, implemented
and respond to to address
natural environmental
disasters or risks
PE-15 Each
to
generators
Refer
can include, be AWS
load-balanced
to the data
are used
following
butthat center
aremay to
to is
the
provide
AWS
not limited evaluated
remaining backup
Audit to
Reportsdetermine
sites.
power
to, the following: forfor the
additional controls
entire that
facility.
details: must
HKMA be TM-G-1,
malicious
implemented acts
Availability to mitigate,Zone occur.
is prepare,
designed Controls
monitor,
as an implemented
andand
independent respond to address
to
failure natural
zone. environmental
disasters
Automated or risks
PE-18 Each
•PCI
can AWS AWS
3.2, ISOdata
data
include, 27001,
centers
but center
are ISO
are
not isequipped
evaluated
27017,
limited to,HIPAA,
withto determine
the sensors IRAP,
following: themaster
NIST controls
800-53,shutoffthatSOC must
valves beto detect
2 COMMON
malicious
processes
implemented
CRITERIA,
the presence acts
move SOCtothat
of 1may
customer
mitigate,
water. & occur.
traffic
prepare,
2equipped
CONTROLS
Mechanisms Controls
away
monitor,
are implemented
from
in the respond
and
place affected
to to to address
area in the
natural environmental
case of
disasters to adetect
or risks
failure.
PR.IP-6: Data is destroyed according to · COBIT 5 BAI09.03, DSS05.06 AWS Certifications, Customer Responsibility MP-6 Data
• AWS
can destruction:
data centers
include, butthat areContent
are
not on drives
limited to,withtheis treated
sensors
following: atand theremove
highest
master water
level in
shutoff of order
classification
valves to prevent
policy · ISA 62443-2-1:2009 4.3.4.4.4 malicious
any additional acts ofwater may damage. occur. Controls implemented to address part environmental risks
••per
the
can AWSAWS
presence
data
include,
Automatic
policy.
centers
but
fire
Content
water.
are are
not
detection
is destroyed
Mechanisms
equipped
limited
and to, withareon
the
suppression
in
sensorsstorage
placeand
following:equipment
todevices
remove
master has
aswater
shutoff
been
ofvalves
in
installed
the to
order to detect
to
prevent
reduce
· ISA 62443-3-3:2013 SR 4.2 decommissioning
any presence additionalofwater process
damage. in accordance inwith AWS security standards.
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, •the
risk
AWS
• Automatic AWS and data
notify
hosts are centers
fire
water.
the
securelyAWSare
detection
Mechanisms
equipped
Security
wiped witharesensors
Operations
or overwritten
and suppression
place and
Centerto remove
master
and
prior to provisioning
equipment
water
shutoff
emergency
has been installed
invalves
order
responders
for reuse.
to detect
to prevent
to reduce AWS in
any
the additional
presence
event of a of water
water.
fire. The damage.
Mechanisms
fire detection are in
system place uses to remove
smoke water
detection in order
sensors to prevent
(e.g.,
A.8.3.2, A.11.2.7 •media
risk and is notify
Theadditional
data securely
center wiped
AWS or
theelectrical degaussed
Security
power Operations
systems and physically
areCenterdesigned destroyed
and emergency prior to leaving
responders in
· NIST SP 800-53 Rev. 4 MP-6 any
Very
AWS
the event Early
secure ofSmoke water
azones.
fire. The damage.
Detection fire detectionApparatus system [VESDA], pointtodetectionbe fully
source redundant
detection) in andall data
maintainable
•center Automatic
environments, without
fire detection impact
mechanical and tosuppression
operations,
and electrical 24uses
equipmenthours smoke a has
infrastructure day.been UPS unitssensors
installed
spaces, provide
chillerto
(e.g.,
reduce
rooms,
To
Very
backup validate
Earlypower AWS’s
Smoke in secure
Detection wipe an processes
of Apparatus and procedures,
[VESDA], forpoint third-party
source detection) auditors in allindata
risk
and
review
center andenvironments,
notify
generator
the guidance thethe
equipment AWS event
within Security
rooms.
mechanical the
electrical
AWS Operations
These
and mediaareas
electrical
failureCenter
are
protection protected critical
and
infrastructure policy, byand
emergency either essential
observe
spaces, responders
wet-pipe, loads
degaussing
chiller rooms, in
the
the facility.
event
double-interlocked of Data
a fire. centers
The fire
pre-action, usedetection
generators
or gaseous systemto sprinkler
provide
uses backup
smoke
systems. power
detection for the
sensors entire
(e.g.,
equipment and secure shred bins
and generator equipment rooms. These areas are protected by either wet-pipe, located within AWS facilities, and review
•facility.
Very The Early
historical datatickets Smoke
center that Detection
electricaltracked powerApparatus
the systems
or destruction [VESDA],
areand designed pointtosource
removal bestorage
of fully detection)
redundant
mediaand in
from all the
and data
•double-interlocked
center Availability
maintainable environments, Zones
without
pre-action,
areimpact physically
mechanical to
gaseous
andseparated
operations,
sprinkler
electrical 24 within systems.
aa metropolitan
infrastructure
hours day. UPS spaces,
units region
chiller
provide are in
rooms,
environment.
• The dataflood
different center electrical power systems are designed to be fully redundant and
plains.
and
backup
Data
maintainablegenerator
powerwithout
deletion equipment
in
for the
block event rooms.
device
impact of to anbasedThese
electrical
operations, areas
storage are
failure
24(e.g.,hoursprotected
for acritical
Amazon day. by either
and
EBS,
UPS wet-pipe,
essential
Amazon
units provide loads
Relationalin
• Each
the Availability
double-interlocked
facility. Data Zone
pre-action,
centers is designed
use orelectrical
generatorsgaseous as an independent
to sprinkler
provide systems.
backup failure
power zone. for Automated
the thatentire
Database
backup Service
power in [Amazon
the event RDS],
of an ephemeral failuredrives): for In
criticalorder and to ensure
essential loads in
•processes
The
facility.
customer
the facility.
move
datacontentcenter
Data centers
customer
electrical
is properly
traffic away
usepower erased,
generators systems
AWS
fromare thedesigned
wipes
to provide
affectedtoarea
backup be
underlying power
in
fully
storage
theredundant
case of a failure.
for media
the entire uponandre-
maintainable
• Climate control
provisioning
facility. without
rather is than impact
required operations,
upontode-provisioning.
maintain 24 hours
a constant Processes a day.that
operating UPS units
temperature
wipe provide
content forupon servers
backup
•and
release other
Climate power
of hardware,
an asset
control in the is(e.g.,event
which
required of
volume, toanmaintain
prevents electrical
object) a failure
overheating
are less and
constant foroperating
reliable critical
reduces thanand the essential
possibility
processes
temperature that loads
for of
only inre-
servers
the
service
provision
and facility.
other outages. Datastorage
clean
hardware, centers
Data which touse
centers generators
are conditioned
customers.
prevents to provide
Physical
overheating toservers
and backup
maintain power
canatmospheric
reduces reboot for
at any
the possibility the entire
conditions
time offor at
facility.
specified
many
service reasons levels.
outages. (e.g.,Personnel
Data power centers andaresystems
outage, system
conditioned monitor
process and
to maintain control
interruption temperature
atmosphericor failure), and
which at
conditions
•specified
mightClimate
humidity leave control
at appropriate
a wiping
levels. is required
Personnel levels.
procedure and to This
maintain
in anisincomplete
systems a constant
provided
monitor at operating
N+1
state.
and and also
Customers
control temperature
uses
temperature do freenot and for servers
cooling
have as
and
primary
access
humidity other hardware,
tosource
block
at of
devices
appropriate which
cooling or prevents
when
physical
levels. andmedia
This overheating
iswhere
provided it iswas
that atand
available reduces
previously
N+1 and basedalsothe on
used possibility
uses local
tofreestorecooling of
another as
service
environmental
customer’s
primary outages.
source content. ofData
conditions. centers
Wiping
cooling when areand
blocks conditioned
atwhere
the time it istocapacity
maintain
available atmospheric
is based on localconditions
re-provisioned is sufficient at
specified
to ensure levels.
• Availability
environmental that Zones the Personnelare physically
previous
conditions. and systems
content separated
cannot monitor within
be recovered and acontrol fromtemperature
metropolitan a new region volume andandor are in
humidity
•different
object.
Availability at appropriate
flood plains.are levels.
Zones physically Thisseparated
is provided within at N+1 and also usesregion
a metropolitan free cooling
and are as in
primary
• Eachdeletion
Data
different source
Availability
floodfor ofnon-block
plains. cooling
Zone iswhen designed
device andservices:
where itFor
as an independent is available
servicesfailure based
such as onAmazon
zone. localAutomated S3 or
environmental
•processes
Amazon moveconditions.
DynamoDB,
Each Availability customerZone istraffic
customers designed away
never asfrom
see antheattached
an independent affectedblock area device,
failure inzone.
the case onlyofobjects
Automated a failure.
•processes
Availability
and the path move toZones that
customer are physically
object (for example
traffic away separated a table
from within
the or an aitem).
affected metropolitan
area Whenin thea regioncustomer
case ofand are in
deletes
a failure.
different
an asset inflood theseplains. services, the deletion of the mapping between an asset identifier or
• Each
key andAvailability
the underlying Zone is designed
content beginsasimmediately.
an independent Once failure zone. Automated
the mapping is removed,
processes
the contentmove is nocustomer longer accessible traffic away and from cannot thebeaffected
processed areabyinantheapplication.case of a failure.
PR.IP-7: Protection processes are · COBIT 5 APO11.06, APO12.06, DSS04.05 AWS Certifications, Customer Responsibility CA-2 The AWS Compliance Assessment Team (CAT) maintains a documented audit
continuously improved · ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, CA-7 schedule
AWS conducts of internal and external
monthly monitoring assessments to ensure
of its security implementation
posture and
through a continuous risk
4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8 operating
assessment effectiveness
and monitoring of the AWS control
process. environment to
Additionally, meet business,
· ISO/IEC 27001:2013 A.16.1.6, Clause 9, CP-2 The AWS Business
regulatory, Continuity
andancontractual policy
objectives. lays out the annual security
guidelines used assessments
to implementare
conducted by
procedures accredited
to respond Third-Party
toa aformal,
serious outage Assessment
orexternal Organization
degradation of are
AWS (3PAO) to
services, including
Clause 10 IR-8 AWS
The has
needs
validate implemented
and expectations
that implemented of documented
internal and incident response
parties policy
consideredand program.
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, the
The recovery
policy
throughout model
addresses
the and its security
purpose,
development,
controls
implications
scope, roles,
implementation,
continue
on the to be
business
responsibilities,
and auditing
effective.plan.
continuity
and
of the
Security
management
AWS control
PL-2 assessments that include a risk analysis and a Plan of Action and Milestones
IR-8, PL-2, PM-6 commitment.
environment.
(POA&M) Parties include, but are notofficials
limited to:
PM-6 N/A uses aare
AWS
submitted
three-phased
to authorizing
approach to manage
for review and approval.
 AWS customers, including customers with aincidents:
contractual interest and potential
Refer
1. to the following
Activation
customers. AWS Audit
and Notification PhaseReports for additional
– Incidents for AWSdetails:
begin withPCI the
3.2,detection
ISO
27001,
of
 ISO parties
an event.
External 27017,
EventstoNIST
originate
AWS, 800-53,
fromSOC 2 COMMON
several
including sourcesbodies
regulatory CRITERIA
such as:
such as the external auditors
•and
Metrics and alarms
certifying agents.– AWS maintains an exceptional situational awareness
capability; most issues
 Internal parties such are
as AWSrapidly detected
services andfrom 24x7x365 teams,
infrastructure monitoring and legal,
security, alarming
of
andWreal time metrics
overarching and service and
administrative dashboards.
corporateThe majority of incidents are detected
teams. W
in this manner. AWS Wuses early indicator alarms to proactively identify issues that
may ultimately impact customers.
AC-21 W
CA-7 If W
the event meets incident criteria, the relevant on-call support engineer uses AWS’s
SI-4 event
W Wmanagement tool system to start an engagement and page relevant program
AWS Certifications, Customer Responsibility CP-12 resolvers (e.g., AWS Security). The resolvers will perform an analysis of the
N/A
incident to determine if additional M resolvers should be engaged and to determine W the
CP-13 N/AW M
approximate root cause.
CP-2 W WM
CP-7 incident.
W After addressing troubleshooting, break fix and affected W components, W the
IR-7 call
W leader will assign follow-up documentation W and follow-up actions and end the
call engagement. W W W
IR-8 3.WReconstitution Phase – The call leader will declare the recovery phase complete
IR-9 after W
WWthe relevant fix activities have been addressed. W The post mortem and deep root
PE-17 cause analysis of theW
W incidentW W MM
will be assigned toWthe relevant
W team. The results WW of
W
the post mortem will
AWS Certifications, Customer Responsibility CP-4 W be reviewed W by relevant senior management and actions and
WW in a Correction of Errors (COE) document
captured Wtracked to completion.
and W
IR-3 ToWensure the effectiveness ofWthe AWS incident W W responseW plan, AWS conducts W
M
incident
W response testing.
W W This testing provides excellent coverage for the discovery
PM-14 N/AW W
of previously unknownM defects and failure modes.WIn addition,W it allowsWthe AWS
AWS Certifications, Customer Responsibility PS-1 W
W
Security and service teams
M W W toW test the systems for potential customer impact and
PS-2 further
W prepare W W
W staff to handle incidents such MWas detection and analysis,
W containment,
PS-3 eradication,
W Wand recovery, and post-incident activities. W M
M incident response testWplan isW
The executed annually,Win conjunction with the incident
PS-4 W W
response plan.W The test plan includes multiple scenarios, potential W vectors of attack,
PS-5 andW
W the inclusion of theW systems integrator in reporting and coordination (when W W
PS-6 applicable),
W W as varying reporting/detection avenues (i.e. cu
as well W
W W W W W
PS-7 W W
W W
PS-8 W W
W W
SA-21 N/A W W W W
W W W
AWS Certifications, Customer Responsibility RA-3 W
W W W
RA-5 W W WW
W W
SI-2 W
W W
M M M MA-2 W
M W
W WW
M
W
W W W
W W
M M M WW
M
W WW
W W W
W
W W
MA-3 W W
MA-5 W
W W
MA-6 W W
W
W W
W
W
W W W
W W W
W W
W
W
repairs of industrial
control and information
system components is
performed consistent
with policies and
procedures.
PR.MA-2: Remote maintenance of · CIS CSC 3, 5 AWS Certifications, AWS IAM, CloudTrail, MA-4 AWS monitors and performs preventative maintenance of electrical and mechanical
organizational assets is approved, · COBIT 5 DSS05.04 AWS CloudWatch & CloudWatch Logs, AWS equipment to maintain the continued operability of systems within AWS data
logged, and performed in a manner that · ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, Config, AWS Config Rules, Customer centers.
prevents unauthorized access 4.3.3.6.7, 4.3.3.6.8 Responsibility In order to ensure maintenance procedures are properly executed, AWS assets are
· ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, assigned an owner and are tracked and monitored with AWS proprietary inventory
A.15.2.1 management tools. AWS asset owner procedures are carried out by method of using
· NIST SP 800-53 Rev. 4 MA-4 a proprietary tool with specified checks that must be completed according to the
documented maintenance schedule.
Third-party auditors test AWS equipment maintenance controls by validating that
the asset owner is documented and that the condition of the assets are visually
inspected according to the documented maintenance policy.
Protective Technology PR.PT-1: Audit/log records are · CIS CSC 1, 3, 5, 6, 14, 15, 16 AWS Resource Tagging, AWS Config, AWS AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual
(PR.PT): Technical determined, documented, implemented, · COBIT 5 APO11.04, BAI03.05, DSS05.04, Config Rules, AWS Cloud Formation, AWS agreements and obligations through the following activities:
security solutions are and reviewed in accordance with policy DSS05.07, MEA02.01 CloudTrail, AWS CloudWatch & CloudWatch 1) Identifies and evaluates applicable laws and regulations for each of the
managed to ensure the · ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, Logs, Customer Responsibility jurisdictions in which AWS operates.
security and resilience 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 2) Documents and implements controls to ensure conformity with all statutory,
of systems and assets, · ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR regulatory, and contractual requirements relevant to AWS.
consistent with related 2.10, SR 2.11, SR 2.12 3) Categorizes the sensitivity of information according to the AWS information
policies, procedures, · ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, security policies to protect from loss, destruction, falsification, unauthorized access,
and agreements. A.12.4.3, A.12.4.4, A.12.7.1 and unauthorized release.
· NIST SP 800-53 Rev. 4 AU Family 4) Informs and continually trains personnel that must be made aware of information
security policies to protect sensitive AWS information.
regulatory, and contractual requirements. Should a new security directives be issued,
AWS has documented plans in place to implement that directive with designated
timeframes.
AU-2 AWS deploys monitoring devices throughout the environment to collect critical
information on unauthorized intrusion attempts, usage abuse, and network and
application bandwidth usage. Monitoring devices are placed within the AWS
environment to detect and monitor for:
• Port scanning attacks
• Usage (CPU, Processes, disk utilization, swap rates, and errors in software
generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools show
indications of compromise or potential compromise, based upon threshold alarming
mechanisms determined by AWS service and Security teams.
External access to data stored in Amazon S3 is logged. The logs are retained for at
least 90 days and include relevant access request information such as the data
accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s AWS
CloudTrail bucket in Amazon S3. The logged requests provide information about
who made the request and under which CMK and will also describe information
about the AWS resource that was protected through the use of the CMK. These log
events are visible to the customer after turning on AWS CloudTrail in their account.
AU-3 AWS deploys monitoring devices throughout the environment to collect critical
AU-4 information
AWS deploys onmonitoring
unauthorized devicesintrusion attempts,
throughout theusage abuse, and
environment network
to collect and
critical
application bandwidth
information onmonitoring
unauthorized usage.intrusion Monitoring devicesusage
attempts, are placedabuse,withinand the AWS
network and
AU-5 AWS
environment deploys to detect and devices
monitor throughout
for: devices the environment to collect critical
application
information bandwidth
onmonitoring
unauthorized usage. Monitoring
intrusion attempts, are placedabuse,within the AWS
AU-6 • Port deploys
AWS
environment scanning to attacks
detect and devices
monitor throughout
for: theusageenvironment and network
to collect and
critical
application
• Port Usage (CPU, bandwidth
Processes, usage. disk Monitoring
utilization, devices
swap are placed
rates, and within
errors in the AWS
software
AU-7 •information
AWS
environment scanning
deploys onmonitoring
unauthorized
attacks
to detect and devicesintrusion
monitor
attempts,
throughout the usage abuse,
environment
for: devices are placed within the AWS
andto network
collect and
critical
generated
•application loss)
bandwidth usage. Monitoring
AU-8 •• Usage
information
AWS
environment Port (CPU,
scanning
information
Application
on Processes,
to
unauthorized
attacks
systems
performance
detect and
disk
use
metrics
monitor
utilization,
intrusion
internal for: system
swapclocks
attempts, rates, and
usagesynchronized
abuse,errorsandinnetwork software
via Network and
generated
application loss)
bandwidth usage. Monitoring devices are placed within the AWS
AU-9 •• Application
Time
•AWS
environment
Usage
Unauthorized
Port (CPU,
Protocol
scanning
has Processes,
(NTP)
implemented
to connection
attacks
performance
detect and
a disk
orprocesses
comparable
attempts
metrics
monitor
utilization,
tofor: source
protect swap to rates,
audit generate andtime
information errors stamps
and inaudit
software
fortools
auditfrom
AU-10 •generated
records.
AWS
•unauthorized
AWS Usage provides
Unauthorized
Port scanning
has
loss)
Third-party
(CPU, near
Processes,
access,
implementedconnection
attacks
testing
real-time disk
modification,
the
ofalerts
attempts
AWS’s
non-repudiation when
utilization,
and time the
deletion.stamps
swap AWS
control rates,
Auditvalidates
monitoring
and
through
that
errors
records the
system
tools
in
contain
use show
software
of a
timeofisdata
acentral
set log
•indications
configured
generated
elements Application to
of
inloss) performance
automatically
compromise
order to real-time
support metrics
orsynchronize
potential
necessary with approved
compromise, basedstratum-1
upon time sources.
threshold alarming
•AWS
archival Usage provides
(CPU,
storage near
Processes,
system. Thedisk alerts loganalysis
when
utilization,
central the
swap
archival AWS requirements.
rates, monitoring
system andprotects
errors Intoolsaddition,
in show
software
against anaudit
AU-11 ••mechanisms
Amazon
records
indications
generated
individual
Unauthorized
Application Simple
are of
loss)
falsely
connection
Storage
determined
performance
available
compromise
denying
by attempts
Service
to authorized
orAWS
metrics
having
(Amazon
potentialservice S3)
and
userscompromise,
performed for Application
Security
inspection
aaccess
particular
teams. Programming
oraction
based analysis
upon on demand
threshold
based on the
Interfaces
and in
alarming
AWS
(APIs)
External provides
provide
access near
both
to data real-time
bucket-
stored andalerts
in when S3
object-level
Amazon theis AWS logged. monitoring
controls,
The logs with tools show
defaults that
foronly
AU-12 ••mechanisms
response
AWS
attributes Unauthorized
deploys
Application to
attached connection
security-related
monitoring
determined
performanceto each by attempts
logor
devices
AWS
metrics business-impacting
file throughout
service
as well and
as thethe
Security events.
environment
authlog teams.
auditing toare that
retained
collect is critical
performed.
at
indications
permit
least
AWS 90 days
provides of
authenticated compromise
andnear include access
real-time orby
relevant potential
the access
alerts bucket
when compromise,
and/or
request
the AWS object based
information
monitoring upon
creator. such threshold
tools asretained
the data
show alarming
information
•External
The Unauthorized access
fundamental on unauthorized
to data
connection stored intrusion
attemptsin Amazon attempts,
S3 is usage
logged. abuse,
The isand
logs network
are and
isfor at
PR.PT-2: Removable media is protected · CIS CSC 8, 13 MP-2 Environments
mechanisms
External
accessor
indications
application access
IP of
used
address, todata
determined
compromise
bandwidth
fortype
data the
stored
object,
usage.
in
bydelivery
orAWS
and
the central
of the
service
in operation.
Amazon
potential
Monitoring
logAWS
and
S3
compromise,
archival
devices
services
isSecurity
logged, system
and
based
aremonitoring
placed
arethe
teams. upon
alogs
managed
within
log. are
threshold
the
Abyretained
log a for
authorized
alarming
and its use restricted according to policy · COBIT 5 APO13.01, DSS05.02, DSS05.06 least
AWS
chunk
personnel 90 of90days
provides
arbitrary
and andnear
are include
datareal-time
located with relevant
in the
AWS alerts access
in followingwhen
managed request
the isAWS
attributes
data information
attached:
centers. Media such handling theAWS
areasretained
tools show data
External
at
Allleast
mechanisms
environment requests access
days.
to KMSto
The
determined
tocompromise
detectdata logs
are stored
and include
logged
by AWS
monitor Amazon
and relevant
available
service
for: S3
access
and inlogged.
request
the
Security AWS The
teams. logs
information,
account’s AWSsuchcontrols
asfor
theat
· ISA 62443-3-3:2013 SR 2.3 accessor
•indications
for
least Log
the90Id: IP
dataUnique
days address,
of
centers
and object,
identifier
are
include managed orand
(assigned
relevant operation.
potential
byaccess
AWSbycompromise,
the insystem)
requestalignment based
information withupon the
such threshold
AWS as Media
the alarming
data
data
CloudTrail
•External accessor access IP
bucket address,
in are
togroup
data Amazon object,
stored S3. and The operation.
logged requests provide logsinformation about
· ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, All
•mechanisms
Protection
accessor
Port
Log scanning
requests
Group:IP tothe
Policy.
address,
attacks
KMS
determined This logged
by
that
policy
object, thein
AWS
and
Amazon
and
log
includes available
service
belongs
operation.
S3
andtoisSecurity
procedures in logged.
thearound
AWS Theaccount’s
teams. are retained
access, marking, AWS storage, for at
who
•least
CloudTrail Usagemade
90 days(CPU,the
bucketrequest
and include
Processes,
in are and
Amazon under
relevant
disk which
access
utilization,
S3. The CMKrequest
logged swap isand willand
information
rates,
requests also describe
Theerrors
provide such in as
informationinformation
the data
software about
A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9 •External Name:
transporting,
All requests access
(any and
to KMStosanitation.
data
user-defined stored text,in
logged Amazon
does
and not
available S3
need tologged.
in be
the unique)
AWS logs are retained for at
about
accessor
generated
who
•least Start90the
made IPAWS
days
time: address,
loss)
the and
the resource
requestinclude
time object,
at and that and
under
relevant
which wasthe protected
operation.
which
access
log CMK
began through
request and
recording willthe
information useaccount’s
also ofsuch
the CMK.
describe
(inclusive)
AWSThese
asinformation
the data log
· NIST SP 800-53 Rev. 4 MP-2, MP-3, MP- CloudTrail bucket
MP-3 events
•All
Environments
about
•accessor areIP
requests
Application
End the
time: visible
AWS address,
the toinfor
toperformance
KMS
used
resource
time
Amazon
the
are
object,
at customer
thelogged
that
which delivery
metrics
and
S3.
was and The
after
theoperation.
log of
protected
logged
turning
available
the
stopped AWS requests
in
throughonservices
the
recording AWS AWS
the
provide
CloudTrail
account’s
are
use of
information
managed
(exclusive) the CMK. -inAWStheir
by
must
about
beaccount.
authorized
These log
greater
4, MP-5, MP-7, MP-8 who made the request and under which CMK and will also describe information
MP-4 CloudTrail
•than
personnel
events
All Unauthorized
are
requests
Environmentsthe and
start bucket
visible are
totime
KMS
used infor
connection
located
to Amazon
the
are the indelivery
attempts
customer
logged AWS S3. and The
managed
after
of logged
turning
available
the AWS datarequests
in centers.
onservices
theAWS AWS provide
Media
CloudTrail
account’s
are information
managed handling
inAWStheir
by about
controls
account.
authorized
about
who the
made AWS
the resource
request and thatunder was protected through the use of the CMK. These log
MP-5
AWS
for the
CloudTrail
•events
personnel
Environments
provides
Searchabledataand
are
centers
bucket
visible
near
Keys:
are
used
are
inAreal-time
located
to set
the
for
managed
Amazon ofin
customer
the S3.which
alerts
Key-Value
AWS
delivery
byThe when
AWS
managed
after
of
CMK
loggedthe
in data
pairs.
turning
the AWS
and
alignment
AWS
requests
Keys
on
will
centers.
are
AWS
services
also
monitoring
with
provide
strings describe
Mediatheofinformation
CloudTrail
are
tools
managed
AWS
handling
up in information
show
to media about
50 authorized
their
by controls
characters
account.
about
indications
protection
who
for
in the
lengththe
made data AWS
andpolicy.
of
the resource
compromise
request
centers
values This areand
are that
policy
managed or was
under
strings potential
includesprotected
ofwhich
by up AWS CMK
200 inthrough
toprocedures
compromise, for
andcenters.
alignment
characters willthe
baseduse
access
also
with
in of
upon the
control,
describe
the
length. AWS CMK.
threshold
The media These
information
media
Searchable alarming log
MP-7 personnel
From
eventsallow seeker: and
arestorage,
visible are located in AWS managed data Media handling controls
mechanisms
marking,
about
protection
Keys
for the thedata AWS
policy.
you
centers toto
determined
resource
This thepolicy
define
are
customer
transportation,
bytheAWS
that
managed was
includes
dimensions
by
after
and
service
AWS
turning
sanitation.
protected and
procedures
along
in
on
Security
through which
alignment
AWS
for CloudTrail
teams.
theyouruse
access
with of
logs
the the areCMK.
control,
AWS
in their
media
organized
mediaThese account.
andlog
MP-8 External
Live
N/A media
events
marking,
provide are access transported
visible
storage,
values fortoto data stored
outside
thepolicy
customer
transportation,
those dimensions. inofAmazon
dataThere
after
and centerS3are
turning
sanitation. issecure
logged.
on
no AWS zones
schemata The islogs
escorted
CloudTrail
incontrol,
the aresystem
retained
in by
their authorized
for at
- account.
rather,
protection
Portable policy.
storage anddevicesThis (e.g. includes
external procedures
hard for
drives,information
floppy access disks, storage media
PR.PT-3: Access to systems and assets · CIS CSC 3, 11, 14 AC-3
least
personnel.
Live
each media
User
marking,
90 days
log
access can transported
have
privileges
storage,
include
any set are
transportation,
relevant
outside
of keys.
restricted ofand access
databased
request
center
sanitation.on secure
business zones
needisand
such
escorted
and
as the bytapes,
data
authorized
job responsibilities.
compact
accessor
personnel.
Logs media are discs,
IP digital
address, object,
symmetrically video discs,
and operation.
encrypted USB
using flash/thumb
AES-128 drives,
encryption beforediskettes except
transmitting for
is controlled, incorporating the principle · COBIT 5 DSS05.02, DSS05.05, DSS06.06 CM-7 AWS
Live
AWS
those employs
implements
that are the of
transported
part concept
the an outside
least of least
of
functionality
approved privilege,
data
device, center
principle
such allowing
secure
as a only
zones
throughout
flash cardthe
is its
thatnecessary
escorted by
infrastructure
is part access
authorized
of a for
All
themrequeststo to KMSthem are logged and available in the AWS account’s AWS
of least functionality · ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, users
personnel.
components.
networking to and storing
accomplishNetwork
router) their
are
in S3.
job
devices
not function.
permittedandThe servers New
forlogged
useare user accounts
implemented
within arewithcreated minimal to have
PR.PT-4: Communications and control ·4.3.3.5.3,
CIS CSC 8, 12,4.3.3.5.5,
4.3.3.5.4, 15 4.3.3.5.6, AWS Certifications, AWS VPC, Security AC-17 CloudTrail
Remote
Logs areaccess
minimal
bucket
securely
access. toUser in
AWS Amazon
transmitted production
access
S3.
totoAWS S3 environments
over
systems
requests
an encrypted
(e.g., is the
limitedsystem
provide
SSL/TLS
network, to boundary.
information
defined
sessionsecurity
applications, (see about
control
tools)
networks are protected · COBIT 5 DSS05.02, APO13.01 Groups, ACL's, VPC Flowlogs, Customer functionality,
who made
groups. the and
request service and teams
under add
which only CMKsoftware and packages
will also and
describe servicesinformationneeded byfor
4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, AC-18 SC-8
Remote
requires forTheaccess addition
information
documented to AWS of members
related
production
approval tofrom into
protectionthea authorized
group
environments of data must in
is be reviewed
transit).
limited
personnel to(e.g., anduser's
defined approved
security
manager
the
about device
the to
AWS perform
resource its function.
thatconfirmwas protected through thereviewed
use ofusers.theand CMK. These
· ISA 62443-3-3:2013
4.3.3.6.3, SR 4.3.3.6.6,
4.3.3.6.4, 4.3.3.6.5, 3.1, SR 3.5, SR Responsibility
AC-4
authorized
Access
groups.
and/or
Several toThe
system individuals
audit
network logs
addition
owner)fabrics and who
ofand tools
members
exist atis Amazon,
validation into the
restricted user’s
ofa the
grouptoactive
each
need
only
must user
separated
for
authorized
be access
in to
theboundary
by Amazon the environment.
Once
approved
Human a log by
protection islog
3.8, SR 4.1, SR 4.3, 4.3.3.6.9,
SR 5.1, SR 5.2, SR 5.3, SR events
stored, are
Remote
authorized the visible
accessname,
individuals to thetime,
requires
start whocustomer
multi-factor
end
confirm after
time, theorturning
authentication
databetween
user’s on AWS
cannot
need over
forbe CloudTrail
an approved
changed.
access to the inenvironment.
their account.
cryptographic
4.3.3.6.7, 4.3.3.6.8, 4.3.3.7.1, Resources
devices that system.
control the flow of information fabrics. The flow of
7.1, SR 7.64.3.3.7.3, 4.3.3.7.4 CP-8 The AWS
channel forof
Baselining business
authentication. continuity
groups fabrics (e.g., reviewing plan details the
of existing three-phased
members approach
in the group which that AWS
for their has
4.3.3.7.2, information between is established by approved authorizations, exist
developed toInternet
recover and reconstitute isthe AWS infrastructure:
·· ISO/IEC
ISA 27001:2013 SR
62443-3-3:2013 A.13.1.1,
1.1, SRA.13.2.1,
1.2, SR SC-19 AWS employs
Voice
continued over need automated
for Protocol
access) mechanisms
(VoIP)
occurs every to90
not facilitate
employed
days bythe the monitoring
within
manager the by system
and andis control
boundary;
enforced of byas
A.14.1.3 •as
such,
the
ACL
Activation
remote this
residing
access
permissions and
control
on
isnot
tool
these
Notification
methods. not
which
devices.
Auditing
applicable. Phase
provides
ACLs
occursautomated
are defined,
on the systems notification
approved
andto devices, appropriate
the manager. which are then
1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR SC-20 Since AWS does resolve to team,
GC.CA domain names for government users, the
· SR NIST SPSR800-53 •Amazon’s
Recovery Information
Phase Security and managed and deployed using AWS’s
1.9, 1.10, 1.11, Rev. 4 AC-4,
SR 1.12, AC-17,
SR 1.13, SRAC-
2.1, aggregated and stored in a proprietary tool for review and incident investigation. The
implementation of DNSSEC
content isisvalidated not applicable.
18, 2.2,
CP-8, SC-21 •ACL-management
Customer
Reconstitution provided Phase tool. fornetwork
integrity, and corrupted or tamperedisdata
SR SRSC-7, SC-19,
2.3, SR SC-20,
2.4, SR 2.5, SC-21,
SR 2.6,SC-22,
SR 2.7 AWS
Approved
operational
firewall
environment,
rulethat sets
to include
and access control
and
listsrecovery
between
security
network
configuration,
·SC-23, SC-24,27001:2013
ISO/IEC SC-25, SC-29, SC-32, SC-36,
A.9.1.2 SC-22 is
Thisnotapproach
considered
DNS written
systems to storage.
ensures
confidential
and devices AmazonAWS
information
within S3and
the utilizes
performs
system checksums
system
is required
boundary to be internally
and
collectively
protected byfabrics
to confirm
reconstitution
provideemployees restrict
the per
SC-37, SC-38, SC-39, Rev.
SC-40, SC-41,CM-7
SC-43 the
Amazonflowinof
continued
efforts
name/address data information
aintegrity
methodical
classification
resolution toservice,
of content specific
sequence, in transit
policies. are information
maximizing
All within
faulttolerant,
remote thesystem
the system services.
effectiveness
administrative
and and ataccess
implement ofACLs
rest.
the Amazonand ruleS3
recovery
internal/external
attempts sets
and
· NIST SP 800-53 4 AC-3, SC-23 AWS
are is designed
reviewed and toforprotect
approved the confidentiality
and are automatically and integrity
pushed of transmitted data are
provides
reconstitution
logged
role a facility
separation.
and efforts
limited Fault to acustomers
and minimizing
tolerance
specific toimplemented
number
is send systemchecksums
of outage
attempts. by time to
along
multiple
Auditing due boundary
with to
serversdata
logs errors
are protection
transmitted
using andweighted
reviewed to
through
devices
the service. theaThe
on comparison
periodicservice basisof a(at
validates cryptographic
least theeverychecksum 24 hashhours) of data
upon transmitted.
tosuspicious
ensure
receipt ofrule the sets This
data and
toIn doneby
isdetermine
access to
omissions.
the
round-robin
help AWS
ensure Security
DNS (rrDNS).
team for Monitoring
unauthorized andattempts
alarming or of DNS servers
activity. is in place,
the event
control
that
AWS
that no lists that
corruption
maintains
suspicious
theoccurred
areactivity
upa tomessage
date.
ubiquitous is inis
detected,
not corrupted
transit.
security the Regardless
control
incident
or altered
ofarewhether
environment
response
in transit.
a checksum
across
procedures
Data that
all regions.
are is has
sent
initiated.
been
Each with
which
corrupted monitorsorAmazon CPU,
alteredleast load,
inS3,transit and disk
is immediately space. Alerts
rejected. generated
AWS provides and sent
severalto
AWS
an
data implements
object
center
appropriate to is built
personnel to privilege
thealarm
physical,
when service throughout
environmental,
thresholds its
utilizes checksums are infrastructure
and security
surpassed internally components.
standards
(i.e. high to confirm
in
errorsan AWS the
active-
rates,
methods
prohibits
continued for
all customers
portsseparation
integrity and to securely
protocols
ofemploying
content that
insystem handle
transit do andnot their
within have data:
the a system
specific business
and at rest.purpose.
When AWS
disk
active
•corruptionconfiguration,
utilization).
Upon initial Role
communication for with an n+1 redundancy
an AWS-provided devices model
within
Windows to
the ensure
system
Amazon system
boundary
Machine is
follows
availability
implemented a rigorous
orinby
device
the approach
event
internal failureof
and isto
component minimal
detected,
external implementation
the
failure.
DNS system Components
servers. Internal of only
automatically (N)
DNS those
attempts
have atfeatures
isterminal least
separated to one and
restore
from
Image
functions
normal (AMI),thatbackup
levels AWS
are
of object enables
essential storage tosecure
use of communication
redundancy.the device. Network byaccess
configuring
scanning is performed, services
in and
independent
External
on DNS services. component
A DNS (+1),
aMaster sozonethe External
backup
transfers component
with a toDNS content
iscertificate
active
slave. stored
in
Slavethe
andzones
anythe
Amazon
operation
are then
instance
unnecessary
S3even
propagated
and generating
if ports
is logged all via orNotify
and
other protocols
the logs
components
unique
AXFR/IXFRin use
are self-signed
are
retained
arethe fully
tocorrected.
for atX.509
least 90
functional.
multiple
server
Indays,
order including
to eliminate
delivering
relevant the certificate’s
access request thumbprint
information, suchto as theuser over a DNS
accessor trusted slave
IP address, channel.zones.
object,
External
and
single
DNS ispoints
hosted of failure,
externally thisby model
UltraDNS. is
• AWS further enables secure communication with Linux AMIs by configuring applied throughout AWS, including network
operation.
and dataShellcenter implementation. All generating
data centersa are online and serving traffic; nothe
Secure (SSH) on the instance, unique host-key and delivering
key’s fingerprint to the user over a trusted channel.
to be load-balanced
Customer Master Keys to the(CMKs)remaining usedsites.for cryptographic operations in AWS Key
Management Service (KMS), including operations by AWS employees, are secured
by both technical and operational controls. By design, no individual AWS employee
can gain access to the physical CMK material in the service due to hardening
techniques such as never storing plaintext master keys on persistent disk, using but
not persisting them in volatile memory, and limiting which users and systems can
connect to service hosts. In addition, multi-party access controls are enforced for
operations on the KMS-hardened security appliances that handle plaintext CMKs in
memory.
SC-24 Network devices, including firewall and other system boundary devices are
SC-25 configured
N/A to fail securely in the event of an operational failure. Boundary firewalls
and load balancer devices are set to fail to deny all until the device’s functionality is
SC-29 N/A
restored.
SC-32 N/A
SC-36 N/A
SC-37 N/A
SC-38 N/A
SC-39 Amazon EC2 currently uses a highly customized version of the Xen hypervisor,
SC-40 taking
N/A advantage of paravirtualization (in the case of Linux guests). Because
paravirtualized guests rely on the hypervisor to provide support for operations that
SC-41 N/A
normally require privileged access, the guest operating system has no elevated
SC-43 N/A to the CPU. The CPU provides four separate privilege modes: 0-3, called
access
SC-7 rings. Ring
Several 0 is the
network mostexist
fabrics privileged and 3 each
at Amazon, the least. The host
separated operatingprotection
by boundary system
CP-7 executesthat
devices in Ring 0. However,
control the flow ofrather than executing
information between infabrics.
Ring 0 The
as most operating
flowthatof AWS has
PR.PT-5: Mechanisms (e.g., failsafe, · COBIT 5 BAI04.01, BAI04.02, BAI04.03, The AWS business continuity plan details the three-phased approach
systems do, the
information guest operating system runsbyinapproved
a lesser-privileged Ring which
1 and exist
load balancing, hot swap) are BAI04.04, BAI04.05, DSS01.05 developed tobetween
recover fabrics is established
and reconstitute the AWS infrastructure: authorizations,
implemented to achieve resilience · ISA 62443-2-1:2009 4.3.2.5.2 applications
•as ACL residing
Activation in the
and onleast
theseprivileged
Notificationdevices. Ring 3.are
PhaseACLs This explicit
defined, virtualization
approved of the physical
by appropriate
requirements in normal and adverse · ISA 62443-3-3:2013 SR 7.1, SR 7.2 resources
Recoveryleads
•Amazon’s Phase to a clear
Information separation
Security team,between guest instances
and managed and the
and deployed hypervisor,
using AWS’s
situations · ISO/IEC 27001:2013 A.17.1.2, A.17.2.1 resulting in additional
•ACL-management
Reconstitution tool.security given the separation between the two.
Phase
· NIST SP 800-53 Rev. 4 CP-7, CP-8, CP- Approved
This firewall
approach rulethat
ensures sets AWS
and access
performscontrol
systemlistsrecovery
between and network fabrics restrict
reconstitution
11, CP-13, PL-8, SA-14, SC-6 the flowinofa methodical
efforts informationsequence,
to specificmaximizing
informationthe system services.of
effectiveness ACLs and rule and
the recovery sets
are reviewed and
reconstitution approved
efforts and are automatically
and minimizing system outage pushed
time to boundary
due to errorsprotection
and
devices on a periodic basis (at least every 24 hours) to ensure rule sets and access
omissions.
controlmaintains
AWS lists are up to date. security control environment across all regions. Each
a ubiquitous
AWScenter
data implements
is builtleast privilege
to physical, throughout itsand
environmental, infrastructure components.
security standards in an AWS
active-
prohibits
active all ports andemploying
configuration, protocols that do not
an n+1 have a specific
redundancy model business
to ensurepurpose.
system AWS
follows a rigorous
availability approach
in the event to minimalfailure.
of component implementation
Components of only thoseatfeatures
(N) have least oneand
functions thatbackup
independent are essential
componentto use(+1),
of the
sodevice. Network
the backup scanning
component is performed,
is active in the and
any unnecessary
operation even if ports or protocols
all other components in useareare corrected.
fully functional. In order to eliminate
CP-8 The AWS business continuity plan details the three-phased approach that AWS has
CP-11 developed
N/A to recover and reconstitute the AWS infrastructure:
CP-13 • Activation and Notification Phase
•N/A
Recovery Phase
• Reconstitution Phase
efforts in a methodical sequence, maximizing the effectiveness of the recovery and
reconstitution efforts and minimizing system outage time due to errors and
omissions.
PL-8 AWS gives customers ownership and control over their content by design through
SA-14 simple,
N/A but powerful tools that allow customers to determine where their content
SC-6 will be stored, how it will be secured in transit or at rest, and access to their AWS
AWS operates,
environment manages,
will managed. and controls the infrastructure components, from the host
operating system and virtualization layer down to the physical security of the
facilities
AWS hasinimplemented
which the services operate.and
global privacy AWS endpoints
data arebest
protection tested as partin
practices oforder
AWSto
compliance vulnerability scans.
helping customers establish, operate and leverage our security control environment.
AWS
These Cloud services
security are managed
protections in a processes
and control manner that
arepreserves their confidentiality,
independently validated by
integrity, and availability. AWS has implemented
multiple third-party independent assessments. secure software development
procedures that are followed to ensure that appropriate security controls are
incorporated into the application design. As part of the application design process,
new applications must participate in an AWS Security review, which includes
registering the application, initiating application risk classification, participating in
architecture review and threat modeling, performing code review, and performing a
penetration test.
Customer Responsibility
AWS customers are responsible for developing, documenting,

maintaining,
AWS customers disseminating,
are responsible and implementing
for managing accounts an accessassociated
control policywith
and supporting
their procedures. on AWS customers are responsible for
AWSapplications
customers
reviewing and updating
hosted
are responsible AWS.
the policy
AWS
forand customers
developing,
procedures
are responsible
documenting,
at a frequency
for
properly
maintaining, using AWS Identity
disseminating, andimplementing
and Access Management (IAM) toand
an identification create
N/Amanage
defined
and by theiruser organization.
accounts
authentication policy alongand withtosupporting
enforce access within their
procedures. AWSAmazon
N/A Compute Cloud (Amazon EC2) instances and all applications
Elastic
customers are responsible for reviewing and updating the policy and
they install.
AWS customers
procedures are responsible
at a frequency defined forbyconfiguring their systems to
their organization.
uniquely
AWS identifyare
customers andresponsible
authenticate fororganizational
configuring their userssystems
(or processes
to
AWS customers
acting
uniquely on identify
behalf of inandtheauthenticate
users). context of managing their user accounts are
AWS customers
responsible for: 1) areIdentifying
responsible and fororganization-defined
managing
selecting information
system
specific
accounts; system
2)
and/or
types of
identifiersdevices
by: before
1) areReceiving establishing
authorization local, remote,
from and/or
organization network
defined
AWS
The customers
Assigning
master
connections account
account
in responsible
managers
and
accordance IAM for
with for
accounts
their managing
system are usedinformation
accounts;
identification by3) customers
and system
Specifying to
authentication
personnel
authenticators
authorized
manage or
their roles
users,
AWS toservices.
by:group
1) assign
and an
Verifying, roleindividual,
They as part be
membership,
can group,
of configured
the role,
initial
access or device
authenticator
authorizations,
with varying
N/A
policy.
identifier, 2) the
Selecting anofidentifier that
distribution,
and other
levels attributes
of permissions, identity
as and theused
required
are individual,
for each
to setidentifies
group,
account;
up anRequiring
role,
4)
and design individual,
orthe
device
system group,
as
role, or device,
receiving
approvals
documented the
from 3) Assigning
IAM Best2)the
inauthenticator,
customer-defined
the identifier
Establishing
personnel
Practices Guidetoinitial
orthe intended
roles individual,
authenticator
available for ataccount content
group,
for
creation role,
authenticatorsor device,
requests; defined 4) Preventing
5) Monitoring by theiraccount reuseusage;
organization,
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html. of identifiers
3) Notifying
6) Ensuringfor an that
account
organization-defined
authenticators
managers when: have time period,
sufficient
a) Accounts and
strength
are no 5)
of Disabling
longer required,the
mechanism for
b) identifier
their are
Users after
intended
an
use,
An organization-defined
4) Establishing
terminated
AWS is and
or transferred,
account time
andperiod
implementing
the initial c) of administrative
Individual
account inactivity.
created system
whenusage aprocedures
or need-to-
customer for
initial authenticator
know changes;
purchases
AWS services
customers 7)are distribution,
Authorizing
from AWS. access
responsible for configuring
This
for lost/compromised
based on:
account a)
is used
theirAfor orservice
valid damaged
systemsaccesstoand
authenticators,
authorization,
data b)
billing.mechanisms
implement Afterand for revoking
Intended
initial system
AWS
for authenticators,
usage,creation,
account
authentication and 5)it Changing
to ac)cryptographic
Otheris theattributes
AWS default
as
module
AWS
content
requiredcustomers
customer’s ofby their are
authenticators responsible
organization
responsibility prior
toofuseor for
toIAM configuring
information
associated
to create their installation,
system
mission/business
unique systems
accounts tounder
6)
functions;
that meet
uniquely the
identifyrequirements
and authenticate applicable federal
non-organizational laws, Executive
users (or
N/A
Establishing
8)
theReviewing
AWSdirectives,
Orders, minimum
account accounts
for and maximum
for compliance
organizational
policies, lifetime
with
users. restrictions
account
IAM users and
management
can be reuse
granted
processes
conditions
requirements
permissions acting
for aon behalf
toatauthenticators,
frequency
access ofregulations,
resources non-organizational
7) and
defined
standards,
Changing/refreshing
by their
data
and
users).
organization;
as required.
guidance
authenticators
IAM also9) at
and
for
N/A authentication.
such
Establishing
provides a processtime
functionality to intervals
fordefine
reissuinguserby authenticator
shared/group
groups and group type,
account 8) Protecting
credentials
permissions.
authenticator
when individuals content from unauthorized
are removed from the group. disclosure and modification,
9)
TheRequiring
accounts individuals
that customers to take
createandon having devices implement
their Amazon EC2 instances specific
or
security safeguards
More information
applications ontoimplementing
are distinctly protect authenticators,
separate these
and theand
arefunctions 10)using
Changing
responsibility IAM of is
the
authenticators
available at
customer for group/role accounts when membership to
to http://docs.aws.amazon.com/IAM/latest/User
manage. those
Guide/best-
accounts changes.
practices.html.
N/A
N/A
N/A
N/A
N/A

maintaining,
AWS customers disseminating, and implementing
are responsible for establishinganand
access control policy
documenting
and
usagesupporting procedures.
restrictions, AWS customers requirements,
configuration/connection are responsibleand for
AWS customers
reviewing are
and updating responsible forand
theforpolicy establishing
procedures andat documenting
a frequency
implementation
usage restrictions,guidance each type
configuration/connection of remote access
requirements, allowed
and to
AWS
definedcustomers
by their are responsible
organization.
their systems in guidance
accordance for establishing terms and conditions
implementation
with other are
organizations forwith
owning,
their access control policy.
organization-controlled
operating, and/oraccessmobile AWS
maintaining devices in
N/A
customers
accordance responsible
with theirsystems. for authorizing
access control remote
policy. AWS to their
external
systems information
prior Consistent with any customers are
trust relationships
responsible
established fortoauthorizing
with
allowing such
these externalthe connections.
connection
organizationsof and
mobile devices to their
in accordance with
systems
their priorcontrol
access to allowing
policysuch
AWSconnections.
customers are responsible for
authorizing individuals to: 1) Access their system from an external
information system and 2) Process, store, or transmit organization-
controlled information using external information systems.
maintaining,
for identifyingan user access
actions control
that canpolicy
be
and supporting
performed procedures.
on their systems AWS without customers are responsible
identification for
or authentication and
N/A
reviewing andtheupdating the policy andforprocedures at a frequency
documenting supporting rationale these actions in their security
AWS
definedcustomers
by their are responsible for managing accounts associated with
organization.
plan.
their
N/A applications hosted on AWS. AWS customers are responsible for
properly using AWS Identity and Access Management (IAM) to create
AWS customers are responsible for configuring their systems to
and manage user accounts and to enforce access within their Amazon
enforce logical access
AWS customers based on approved authorizations andand
in
Elastic Compute are Cloudresponsible
(Amazonfor defining,
EC2) instancesdocumenting,
and all applications
accordance
implementing with their access
separation control
of duties policy.
they install.
AWS customers are responsible forfor individuals
enforcing the with access
principle of to their
least
systems orforinformation.
privilege users Implementation
(orresponsible
processes acting onofbehalf
this separation
of users) should
by be
granting
AWS
based customers
on are
validonaccess for limiting the number of concurrent
AWS customers
access based in theauthorization
explicit context decisions
of managing
authorizations. Access forauthorizations
their specific
user accounts usersshould
or
are
sessions
individualsto their systems by intheaccordance with their access control policy.
provide for as
responsible for:defined
only 1)
theIdentifying
minimum AWS
and customer’s
levelselecting
of accesssystemoraccess control
accounts;
permissions policy.
2)
required
Assigning
to accomplish account managers
assigned tasks for system
based accounts;
on their 3) Specifying
organization’s mission and
The enforcement
authorized
business of this and
users, group
needs. requirement can be accomplished
role membership, by
access authorizations,
establishing
and other
AWS customers groups
attributesareasand permissions
required
responsible for within
foreach IAM,their
account;
configuring as Requiring
4) discussed
systems and at all
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html.
approvals
More from customer-defined
information
interconnected onresponsible
IAM accessfor:personnel
authorizations or roles for account
isinformation
available atflow
AWS customerssystemsare to enforce their approved
1) Monitoring and controlling
creation requests;
policies. This canatbe 5) Monitoring
accomplished account
through usage;
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html. 6) Notifying
configuration of at account
Amazon
communications
AWS customers the external
areAccounts
responsible boundary
for of the system and key
managers
Virtual when:Cloud
Private a) (Amazon no developing,
areVPC) longer
networkrequired,documenting,
Access b)Control
Users are Lists
internal boundaries
maintaining, within the system, 2) Implementing subnetworks
terminated
N/Apublicly
(ACL) ordisseminating,
transferred,
for controlling and andc) implementing
inbound/outbound Individual an
system
traffic at access
usage
the control
subnetor need-to-
levelpolicy
and
for
and supporting accessible
procedures. system AWS components
customers that
are are physically
responsible foror
know
Amazon
AWS changes;
VPC
customers 7)areAuthorizing
security groups
responsible access
for based on:
controlling
for establishing a)
traffic
and Aatdocumenting
valid access
the instance
logically
reviewing separated
and b) from
updating internal
the policyorganizational
and procedures networks, and 3)
at a attributes
frequency
authorization,
level.
usage restrictions, Intended system
configuration/connectionusage, andrequirements,
c) Other as
andthrough
Connecting
AWS
definedcustomers
by to external
their are networks for
responsible
organization. or information
managing systemsassociated
accounts only with
required by
implementation theirguidance
organization forAWS.or
of associated mission/business
organization-controlled mobile functions;
devices
managed
their
N/A interfaces
applications
8) accordance
Reviewing accounts
consisting
hosted on
for compliance
boundary
AWS protection
customers
withVPC account are devices
responsible
management forin
arranged
More
in information
accordance
properly usingwithwith on
their configuring
access
organizational and Amazon
control policy.
security AWS is customers
architecture. available atare
requirements atAWS
aare Identity
frequency defined Access Management
by their
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Secu
AWS customers
responsible for responsible
authorizing the for oforganization;
configuring
connection their
mobile
(IAM)
systems
devices andtototo
9) create
their
and manage
Establishing user accounts and to enforce access within their Amazon
rity.html.
enforce
systems
More
Elastic prioratoprocess
logical
information
Compute access
allowing for such
based
on securing
Cloud
reissuing
(Amazon onan shared/group
approved
connections.
Amazon
EC2) authorizations
VPC isand
instances
accountand
available
all
credentials
atin
applications
when individuals
accordance are removed from the group.
they install. with their access control policy.
http://docs.aws.amazon.com/Amazon VPC/latest/User
Guide/VPC_Security.html.
More information on implementing these functions using IAM is
AWS customers
available in the context of managing their user accounts
at http://docs.aws.amazon.com/IAM/latest/User are
Guide/best-
responsible for: 1) Identifying and selecting system accounts; 2)
practices.html.
Assigning account managers for system accounts; 3) Specifying
authorized users, group and role membership, access authorizations,
and other attributes as required for each account; 4) Requiring
approvals from customer-defined personnel or roles for account
creation requests; 5) Monitoring account usage; 6) Notifying account
managers when: a) Accounts are no longer required, b) Users are
terminated or transferred, and c) Individual system usage or need-to-
know changes; 7) Authorizing access based on: a) A valid access
authorization, b) Intended system usage, and c) Other attributes as
required by their organization or associated mission/business functions;
8) Reviewing accounts for compliance with account management
requirements at a frequency defined by their organization; and 9)
Establishing a process for reissuing shared/group account credentials
when individuals are removed from the group.
More information on implementing these functions using IAM is

available at http://docs.aws.amazon.com/IAM/latest/User Guide/best-
practices.html.
maintaining,
for configuringantheir identification
systems toand
authentication
uniquely identify policy along
andresponsible with supporting
authenticate procedures. AWS
AWS customers
customers are
are responsible fororganizational
managing users (or
information processes
systemand
acting on behalf
identifiers by: of users). for reviewing and updating the policy
AWS at a1)frequency
customers
procedures Receiving
are responsible authorization
defined theirfrom
forbymanaging organizationsystem
information
organization. defined
personnel
authenticatorsor roles
by:are to
1)andassign
Verifying, an individual,
as group, role, or device
AWS
The customers
master
identifier, 2)account
Selecting responsible
anIAM forpart
accounts
identifier that
of the
configuring
are usedinitial
identifies their
by an
authenticator
systems to group,
customers
individual,
distribution,
uniquely
manage their the
identifyAWS identity
and of the
authenticate
services. individual,
They group, role,with
non-organizational
can be configured or device
users (or
varying
N/A
role, or
receiving device,
the 3) Assigning
authenticator, the identifier to the intended individual,
processes
levels of
group, role,acting
permissions, on behalf
or device, and of2)non-organizational
are
4) Preventing
Establishing
used toreuse
set upof initial
and authenticator
users).
design
identifiers the
for system
an
content
as
AWS
for customers
authenticators are responsible
defined by their fororganization,
screening personnel
3) Ensuring prior to
that
documented in the
organization-defined IAM time Best Practices
period, and 5)Guide available at according
granting
AWS access
authenticators
customers toare
have their systems
sufficient
responsible and
strength of Disabling
rescreening
for configuring
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html. mechanism their
thefor
personnel identifier
their to
systems
afterto
intended
an
use,organization-defined
4) Establishing and time
conditions period
implementing of administrative
requiring inactivity.
rescreening andinattheir
procedures an access
for
enforce
AWS a sessionare
customers lock after
responsible a period of inactivity
for configuring defined
their systems to
initial
control authenticator
policy frequency.
distribution, for lost/compromised or damaged
An AWS
terminate
AWS user or
account
customers
upon
is the
sessions
are
receiving
after
responsible
a request
initialconditions
account
for or from
created
trigger a user.
when This
a customer
events occursession
incan be
authenticators,
lock should
purchases and
be retained
services for
from revoking
until
AWS. the useridentifying
authenticators,
This reestablishes
account
user
is used
actions
5) Changing
access that
usingdefault
accordance
performed
content
AWS
with
on theirtheir
of authenticators
customers
established are
identification
access
systems prior
responsible
and
control
without
to
policy.
identification
information
for configuring
authentication system or for
their
procedures.
service
authentication
installation,
systems
and
to 6)and
data billing.
documenting After
the initial
supporting AWS account
rationale forcreation,
these it is the
actions inAWS
Establishing
enforce
AWS a limit
customers
customer’s minimum
ofareinvalid
responsibility and tomaximum
login
responsible useattempts lifetime
for defining,
IAM to by
create restrictions
a user within
documenting,
unique atheir
accountsand
period security
andreuse of
under
plan.
conditions for authenticators, 7) Changing/refreshing authenticators
time as
approving
the defined
N/AAWS account
in
system for their access
use organizational control
notification messages policy.
users. IAM Upon
based can be grantedat
exceeding
on approved
users the
policy-defined
language
permissions consistentnumber
to access time
with of intervals
invalid
their access
resources by
login
and data authenticator
attempts
control type,
policy. IAM also take
as required.the system 8) Protecting
must
AWS
actions customers
authenticator
to either are responsible
content
lock from
the account for
unauthorized
or developing,
delay disclosure
the nextdocumenting,
and
login modification,
prompt in
provides functionality to define user groups and group permissions.
maintaining,
9) Requiring
accordance
N/A
AWS disseminating,
individuals
with
customers the
are access
responsible and and
to control
take implementing
having devices
forpolicy.
configuring antheir
identification
implement
systems tospecific and
authentication
security
display asafeguards
system policytonotification
along
protect with supporting
authenticators, procedures.
and 10)prior AWS
Changing
N/A accounts
The thatuse customers create or on warning banner
their Amazon EC2 to grantingor
instances
customers
authenticators
IAM does are
thatnot responsible
fordistinctly
group/role
currently for
support reviewing
accounts
account whenand updating
due tothe
membership
lockout policy
to
failed those and
access
applications
AWS provide
customers are areprivacy
responsible and
separate security
forbyand notices
are
configuring the consistent
responsibility
their systems withoflogin
tothe
procedures
accounts
attempts.
applicable AWSat
changes. a frequency
customers defined
can implement their organization.
account lockout through
uniquely tofederal
customer identifymanage. laws,
and Executive organizational
authenticate Orders, directives, policies,
userssystems
(or processes
AWS
identitycustomers
federation
regulations, are
standards, toresponsible
their
and existing
guidance.forAD/LDAP.
configuring their to
acting
uniquely on identify
behalf ofandusers).
authenticate
AWS customers are responsible fororganization-defined
managing information specific
system and/or
types of devices
identifiers by: before
use1)notification
Receiving establishing
authorization local, remote, theand/or
screennetwork
The master
AWS
The system
customers
connections account are responsible
and IAM must be managing
for
accounts arefrom
retained usedon organization
information
by customers defined
untilto users
system
personnel
acknowledge
authenticators
manage or in
their theaccordance
roles
by:are
AWS toservices.
usage
1) assign with
anThey
conditions
Verifying,
their
individual,
as and
part
identification
take group,
explicitly
of configured
the initial
and
role, orauthentication
device
actions
authenticator to login.
AWS
policy. customers
identifier, 2) the
Selecting responsible
anofidentifier forcan that
be
configuring their with
systems varying
to group,
distribution,
levels of permissions,
uniquely
N/A identify identity
and and theused
are
authenticate individual,
to setidentifies
upgroup,
non-organizationaland designan individual,
role, orthe
users device
system
(or as
role, or
receiving device,
the 3) Assigning
inauthenticator, the identifier to the intended individual,
documented
processes
group, role,acting
or
theonIAM
device, behalf
4)
Bestof2)Practices
Establishing
non-organizational
Preventing reuse
Guide
of
initial authenticator
available
users).
identifiers
at
for an
content
AWS
for customers are
authenticators responsible
defined by their fororganization,
providing basic
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html. security that
3) Ensuring awareness
training to users time
(including period,
managers, and 5) Disabling
senior
authenticators have sufficient strength of mechanism for their intended executives, the identifier
and after
an
use,organization-defined
contractors):
An AWS 1)
4) Establishing As
account is and part time
of period
initial
implementing
the initial of
training inactivity.
for
account administrative new users,
created when aprocedures 2) When
customer for
required
initial byservices
information
authenticator
purchases system
distribution,
from AWS. This changes, andis3)used
for lost/compromised
account At afor frequency
orservice
damaged defined
and
by
datatheir organization
authenticators,
billing. After forthereafter.
andinitial revoking
AWS account authenticators,
creation,5)it Changing
is the AWS default
content
customer’sof authenticators
responsibility prior to usetoIAM information
to createsystem uniqueinstallation,
accounts under 6)
Establishing
the AWS account minimum and maximumusers.
for organizational lifetimeIAMrestrictions
users can be andgranted
reuse
conditions
permissionsfor to authenticators,
access resources 7) and
Changing/refreshing
data as required. IAM authenticators
also at
provides functionalitytime intervals
to define userby authenticator
groups and group type, 8) Protecting
permissions.
authenticator content from unauthorized disclosure and modification,
9) Requiring individuals to take and having
The accounts that customers create on their Amazon EC2 instances or devices implement specific
security safeguards
applications to protect
are distinctly authenticators,
separate and are theand 10) Changing
responsibility of the
authenticators
customer to manage. for group/role accounts when membership to those
accounts changes.
N/A
AT-3: AWS customers are responsible for providing role-based
security
N/A training to personnel with assigned security roles and
responsibilities: 1) Before authorizing access or performing assigned
duties, 2) When required by information system changes, and 3) At a
frequency defined by their organization thereafter.
AWS customers are responsible for: 1) Establishing personnel security

requirements
AWS customers including security roles
are responsible and responsibilities
for requiring the developer forofthird-
their
party providers,
information 2) Requiring
system, system third-party or
component, providers to comply
information systemwithservice
AWS customers
personnel securityarepolicies
responsible for: 1) Requiring
and procedures that providers of
to provide
external organization-defined
information training
system services onestablished
comply the correct
with
by
usetheir
and
organizational
organization, 3) Documenting
operation of security
the implemented personnel
security security controls, and/or4)
requirements,
information
Requiring third-party requirements
providers to and functions,
notifyemploy organization-defined
mechanisms.
security controls
personnel or rolesinofaccordance
any personnel withtransfers
applicableor federal laws, of
terminations Executive
third-
Orders,
party directives,
personnel whopolicies,
possessregulations,
organizational standards, and guidance,
credentials 2)
and/or badges
Defining
or who haveandinformation
documenting government
system oversight
privileges withinand user roles and
an organization-
responsibilities
defined with and
time period, regard to external information
5) Monitoring system services,
provider compliance.
and 3) Employing organization-defined processes, methods, and
techniques
AWS to monitor
customers security control
are responsible compliance
for providing by external
role-based service
security
providerstoon
training an ongoing
personnel withbasis.
assigned security roles and responsibilities:
N/A
1) Before authorizing access or performing assigned duties, 2) When
AWS customers
required are responsible
by information for providing
system changes, and 3)role-based security
At a frequency defined
training
AWS to personnel
customers
by their with assigned
are responsible
organization thereafter. for security
providingroles and responsibilities:
incident response
1) Beforetoauthorizing
training informationaccess
systemorusers
performing assigned
consistent duties, 2)roles
with assigned When and
N/A
required by information system changes, and 3) At time a frequency defined
responsibilities: 1) Within an organization-defined period of
N/Atheir organization
by
assuming an incident thereafter.
response role or responsibility, 2) When required
by system changes, and 3) At an organization-defined frequency
thereafter.
AWS customers are responsible for establishing and managing

cryptographic
AWS customerskeys
arefor required cryptography
responsible for configuringemployed withintotheir
their systems protect
system
the in accordance
confidentiality withintegrity
and/or organization-defined requirements
of organization-defined for key
information
N/A
generation, distribution,
at rest in accordance withstorage, access,and
their system andcommunications
destruction. protection
AWS
policy.customers are responsible for establishing and managing
cryptographic keys for required cryptography employed within their
systemcustomers
AWS in accordance with organization-defined
can employ Server Side Encryptionrequirements
(SSE) withfor key
generation, distribution,
Amazon S3-Managed storage,
Keys access,SSE
(SSE-S3), andwith
destruction.
AWS KMS-Managed
Keys (SSE-KMS), or SSE with customer-provided keys (SSE-C).
More information on these encryption options is available at

http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-
encryption.html.
AWS customers are responsible for implementing mechanisms to

protect the confidentiality and integrity of transmitted information.

reviewing, and updating at an organization-defined frequency an
inventory of system components for their systems. AWS customers are
responsible verifying that the inventory: 1) Accurately reflects the
N/A
current system, 2) Includes all components within the authorization
N/A
boundary, 3) Is at the level of granularity deemed necessary for
tracking
AWS and reporting,
customers and 4) Includes
are responsible the information
for allocating audit record prescribed
storage by
the
AWS configuration
capacity in accordance
customers management
are with thepolicy
responsible audit that is deemed
record
for developing storage necessaryplan
requirements
a contingency to for
achieve
defined effective
in
their system their
that: information
audit system
and accountability
1) Identifies essential component
policy. and
missions accountability.
AWS customers are responsible for configuring their business
systems to protect
functions
against or and
limitassociated
the effects contingency requirements,types
of organization-defined 2) Provides
of denial of
AWS customers
recoveryattacks
objectives, are responsible
restoration for configuring
priorities, and metrics, their systems and
3) Addresses all
service
interconnected by employing
systems organization-defined
to enforce their security
approvedindividuals
information safeguards.
flow
contingency roles, responsibilities, and assigned with
AWS customers
policies. This canare be responsible
accomplished forthrough
defining,configuration
documenting, ofandAmazon
contactinformation
More information, on4) bestAddresses maintaining essential missions and
implementing
Virtual
AWS Private
customers separation
Cloud
are ofpractices
(Amazon
responsible dutiesVPC)
for
forindividuals
for resiliency
network
enforcing
against
Access
the with denial
access
Control
principle of to of
their
Lists
least
businessattacks
service functions despite an
is available at informationof system disruption,
systems
(ACL) for
privilege orforinformation.
controlling
users Implementation
inbound/outbound
(or processes actingeventual, this separation
ontraffic
behalf atofthe subnet
users) should
by level be
grantingand
compromise,
N/A or failure, 5) Addresses
https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.p full information system
based
Amazon
access on validonsecurity
VPC
based access
explicit authorization
groups decisions
forofcontrolling
authorizations. Access forauthorizations
traffic specific
at theusers
instanceor
should
restoration
df.
AWS customerswithout aredeterioration
responsible the security
forcustomer’s
screening safeguards
personnel originally
prior to
individuals
level.
provide for as
onlydefined by the AWS
the minimum access control policy.
planned
granting and
access implemented,
toare
their and level
systems Is of
6)and access or
reviewed
rescreening
permissions
andpersonnel
approvedaccordingrequired
by to
AWS
to customers
accomplish
organization-defined assigned responsible
tasks based
personnel orforroles
developing
on their
in and documenting
organization’s
accordance with mission
the and
The
Moreenforcement
access information
agreements ofon
for conditions
this requirement
configuring
their systemsrequiring
can be
Amazon
hosted rescreening
VPC
onaccomplished
AWS. Inand at
byatan AWS
is organization-defined
available
addition,
business
AWS
contingency needs.
customers are
planning responsible
policy. for implementing
establishing groups andfrequency.
permissions within IAM, as discussed
customers
cryptographic
N/A
are responsible
uses and typeforofensuring
cryptographythat all of their
required for each at
personnel usesign
in
rity.html.
access
More agreements
information
accordance before
on
with applicableIAMreceiving
access
federal access
authorizations
laws, to their
Executive is system,
available
Orders, atdirectives,
a
at
AWS
AWS customers
customers are responsible
are defined
responsible for distributing
for:personnel
1) Monitoring copies of
andpolicy the
controlling
recurring
contingency frequency
regulations,
planattothe by the
policies, and standards.
organization-defined key security
contingency and when
personnel
communications
accesscustomers
agreements arehave external
been boundary of the system andmustat key
AWS
(identified
internal by name
boundaries
responsible
and/or
within byupdated.
the
for and
role)
system,
Access
implementing agreements
organizational
2)of Implementing
mechanisms
elements.
subnetworks
be
to
reviewed
protect the
Contingency
AWS and
customers updated
confidentiality
planning at anand
are responsible organization-defined
activities integrity
must transmitted
for: 1)beMonitoring
coordinated frequency.
theirinformation.
with information
incident
for publicly accessible system components that are physically or
handling
system
N/A
logicallyto separated from internal organizational networks, and ain
activities.
detect: a) The
Attackscontingency
and indicators
plan must
of potential
be reviewedattacks at 3)
frequency
accordance defined
with organization-defined
in the contingency planning
monitoring
Connecting to external networks or information systems only through policyobjectives
and updated
and b)to
address
Unauthorized
managedchanges local,
interfaces to their
network,
organization,
consisting and remote
of boundary system,
connections;
or environment
protection 2) Identifying
devices of
arranged
operation
unauthorized
in accordance anduseproblems
with oforganizational
the information
encountered system
duringarchitecture.
security through
implementation,
organization- execution,
or testing.
defined techniques and methods; 3) Deploying monitoring devices: a)
Strategically
More information withinonthe information
securing systemVPC
an Amazon to collect organization-
is available at
AWS customers
determined are responsible
essential informationfor
http://docs.aws.amazon.com/Amazon andcommunicating
b) At ad hoc locations
VPC/latest/User contingency within plan
the
changes
system tototrack
specific types of personnel
Guide/VPC_Security.html. transactions and offor protecting
interest to their the
contingency plan
organization; 4) Protecting
from unauthorized
information disclosure
obtainedand from modification.
intrusion-
monitoring tools from unauthorized access, modification, and deletion;
5) Heightening the level of information system monitoring activity
whenever there is an indication of increased risk to organizational
operations and assets, individuals, other organizations, or the Nation
based on law enforcement information, intelligence information, or
other credible sources of information; 6) Obtaining legal opinion with
regard to information system monitoring activities in accordance with
applicable federal laws, Executive Orders, directives, policies, or
regulations; and 7) Providing organization-defined information system
monitoring information to organization-defined personnel or roles as
AWS customers are responsible for employing integrity verification
tools to
AWS monitor and
customers detect unauthorized
are responsible changesdocumenting,
for developing, to organization-
and
defined software,
maintaining underfirmware, and information
configuration within
control a current their information
baseline
system.
configuration of their systems.
AWS customers are responsible for requiring the developer of their

information
AWS customers system, are system
responsible component,
for employing or information
integritysystem verification service
to:
tools1) to
Perform
monitorconfiguration
and responsible managementchanges
detect unauthorized during system, component,
to organization-
AWS
or customers
service design,are development, for developing, documenting, and 2)
defined
maintaining software,under firmware,
configuration and implementation,
information
control within
a current
and/or
theiroperation,
baseline information
Document,
AWS
system. customers manage, are responsible
and control for
the implementing
integrity of changes
a configuration
to
configuration
controlofprocess
change theirconfiguration
systems.
in accordance
AWS customers are responsible foritems withunder
analyzing theirchanges
configuration
configurationto their systems
management,
management
to determine policy
3) Implement
potential that includes
security only organization-approved
the following
impacts prior to elements:
change changes
1)
implementation. to the
AWS
system, customers
Determinationcomponent, ofaretheorresponsible
types
service, 4)forDocument
of changes defining, documenting,
to the information
approved changes approving,
system tothat
the
and
AWS
are enforcing
customers physical
configuration-controlled,
system, component, areor and logical
responsible
service 2)andReviewaccess
for: ofrestrictions
the1)potential
Establishing
all proposed
security associated
and documenting
configuration-
impacts with
of
changes
configuration
controlled
such to changes
changes, their and systems.
settings 5) for information
ITsecurity
toresponsible
the
Track products employed
system
flaws andand within
flaw approval theirorsystems
resolution
AWS customers are for configuring their system towithin
provide
using organization-defined
disapproval
the system,
only essential ofcapabilities
such
component, changesorand security
with
service
to for andconfiguration
explicit
prohibit report consideration
or findings
restrict checklists
thetousefor that reflect
security
organization-
of
AWS
the customers
mostanalyses,
restrictive are responsible developing, documenting, and
impact
defined
functions, personnel.
ports, 3) mode
protocols, consistent
Documentation
and/or ofwith
services operational
configuration
as defined requirements,
change
in their decisions 2)
implementing
AWS customers
Implementing atheconfiguration
are responsible
approved management
for requiring
configuration planthefor
settings, 3)their
developer systems
Identifying,ofapproved
theirthat:
associated
configuration
1) Addresses with the
management
roles, information policy.
responsibilities, system, and 4) Implementation
configuration of
management
information
documenting, system,
configuration-controlled
AWS customers andare system
approving component,
changes
responsible anyfor deviations
to developing or information
the information from anestablished system
system,
information 5) service
security
processes
to: 1) Perform
configuration and settings
procedures,
configuration 2) management
Establishes aduring
process for
system, identifying
component,
Retention
architecture
AWS offor
customers
configuration records
the
items are offor
informationorganization-defined
responsible
throughout system
for
the that:
requiring
system 1)the system
development changes
Describes
developer
components
to
thethe
life of overall
cycletheir and
or service
based
information
philosophy, design,
on organization-defined
system development,
requirements, for implementation,
operational
an organization-defined
and approach to requirements,
be and/or
time
taken operation,
period.
with and
regard 4) to 2)
information
for managing system, system
thecontrolling
configuration component,
ofthethe or information system service
AWS
Document,
Monitoring
protectingcustomers manage,
and
the are responsible
and control
confidentiality, changes for
integrity, toconfiguration
requiring
integrity
the
and thechanges
of
configuration
availability
items,
developer to 3)ofDefines
settings
of their
in
to:
the 1) Perform
configuration
information
organization-defined configuration
system, itemssystemfor the management
information
component,
configuration items or during
system
information
under system,
and and
configuration component,
places
system the
service
accordance
AWS customers
organizational with the
are configuration
responsible
information, 2) formanagement
Describes protectinghow policy
against
the supply
information supporting
chain
security
or service
configuration
to: 1) Create design,items development,
under configuration implementation, management, and/or andoperation,
4) to2)
Protects
management,
procedures.
threats
AWS
Document,
the
to the
architecture
customers
configuration isand
3)
manage,
implement
Implement
information
integrated
are responsible
and
management control
a and
only
system,
into security
for
the
plan
system
supports assessment
organization-approved
requiring
integrity
for
component,
theof
unauthorized
plan,
enterprise
the developer
changes or 2) Perform
changes
information
architecture,
to
disclosure of their
andthe
the
unit,
system
and 3)integration,
system, component,
service
Describes bysystem,
employing
any and/or
orinformation
service, 4)regression
Document
security testing/evaluation
approved
assumptions changes
securityabout at
and to
safeguards
information
modification.
AWS customers
organization-defined system, are system
responsible
depth component,
configuration
and for
coverage,items
requiringorunder
3)information
the configuration
Produce developer system
evidence of service
their
of the
system,
as part ofcomponent, or service and the potentialinformation security impacts of
dependencies
to follow
management,
information
execution aaofdocumented
comprehensive,
on Implement
3)
system,
the
external
securitysystem
defense-in-breadth
services.
development
only
component,
assessment process
organization-approved
plan orand that:
information
the 1) Explicitly
results changes
system
of
security
the to the
service
security
such changes,
AWS
strategy. customers andare 5)responsible
Track security for: flaws
1) Managingand flawtheir resolution
systems within
using
addresses
system,
to produce security
component,
testing/evaluation, a design requirements,
4) or service,
specification
Implement 4) 2)
aand Identifies
Document
security
verifiable the
approvedstandards
architecture
flaw changes
remediation andprocess,
that: tools
to
1) the
Is
theorganization-defined
an system, component, or service
System and
Development report findingsLife Cycle to organization-
(SDLC)
AWS
used
system,
consistent
and
customers
5)inCorrect
the development
component,
with aresupportive
and
flaws
responsible
or process,
service
identified and
of for
during3) reviewing
including
Documents
the
their potential
organization’s
security
and
the updating
following
the specific
security impacts
security
testing/evaluation. tool ofthat
the
defined
incorporates
information
requirements,personnel.information
security
descriptions, security
architecture
and considerations,
criteria
at an organization-defined
explicitly 2) Defining
orresolution
byengineering
reference andin
frequency
options
such
AWS
architecture and tool
changes,
customers thatand configurations
are
is 5) responsible
Tracksecurity
established used
securityfor
within inandthe
applying
flaws development
and
is ansecurity
flaw
integrated process,
part withinandthe
of their
documenting
to reflect
acquisition
4) Documents, updates information
contract in for
manages, the the
enterprise
information roles and
architecture.
system, responsibilities
Planned
system throughout
component,
informationto the or
the
principles
AWS
the system,
organization’s
SDLC, in3)
customers component,
the specification,
enterprise
areservice
Identifying orand ensures
service
design,
architecture,
responsible
individuals forand the
2)
properly
having
integrity
development,
report findings
Accurately
handling
information
of implementation,
changes
andto
and organization-
completely
retaining
security roles
security
information
process
defined
and architecture
and/or system
personnel.
modification
describes the tools
required changes
used
of their inin must
accordance
development.
systems.
security be
functionality reflected
withand applicable
inthetheallocation
securityfederal plan,
of laws,the
their
and
N/A information
responsibilities,
security
Executive Concept
Orders,among withinand
ofdirectives,their
4)
Operations system
Integrating
policies,
(CONOPS), andthe information
organizational
regulations,
and output
organizational
standards, from
information the
security
system
security controls
in
risk accordance
management withphysical
applicable
process and
into logical
federal
SDLC components,
laws, Executive
activities. andOrders,
3)
guidelines,
N/A customers
AWS
Expresses and individual
how organizational
are regulations,
responsible mission/business
security forfunctions,
reviewing needs:
the 1) Security
development
mechanisms, and services
directives,
functional policies,
requirements, 2) Security standards,
strength and operational
requirements,
process,
AWS
work standards,
customers
together
requirements. to are tools,
provide and
responsible toolforoptions/configurations
required configuring
security andata3)
their systems
capabilities an Security
to
unified
assurance
implement
approach torequirements,
organization-definedorganization-defined
protection. 4) Security-related
frequency tofail-safe
determine documentation
if the process,
procedures to protect standards,
its
N/A
requirements,
tools, andfrom
memory tool 5) Requirements
options/configurations
unauthorized code forexecution.
protecting
selectedsecurity-related
and employed can
AWS
satisfycustomers
documentation, 6)
organization-definedareDescription
responsible offor
security theimplementing
information system
requirements. a configuration
development
change
environment control and process
environmentin accordance
in which withthetheir
system configuration
is intended to
management policy
operate, and 7) Acceptance criteria. that includes the following elements: 1)
Determination of the types of changes to the information system that
AWS customers are responsible for analyzing changes to their systems
are configuration-controlled, 2) Review of all proposed configuration-
to determine
AWS customers potential security impacts
aretoresponsible for requiring prior tothe change
developer implementation.
of their
controlled changes the information system and approval or
information
disapproval
AWS customers system,
of such system
are changes
responsible component,
withfor explicit
testing orconsideration
information
their contingency system
for security service
plan at an
to: 1) Perform
impact analyses,
organization-defined configuration
3) Documentation
frequency management
using during system,
of organization-defined
configuration change component,
decisions
tests to
N/A
or service design,
associated
determine the thedevelopment,
witheffectivenessinformation of the implementation,
system,
plan and 4) Implementationand/or operation,
the organizational of readiness
approved2)
AWS
Document, customers manage,
to execute the plan.are AWSresponsible
and control
changes
customers for
theto conducting
integrity
the
areinformation of backups
responsible changes system, of
to user-level,
for reviewing 5) the
system-level,
Retention
N/A of contingency
results and system
of records of documentation
configuration items
plan testing and (including
under configuration
initiating security
changes
corrective to actions
the
information)
management,
information
when needed. at3)aImplement
system frequency defined in their contingency
only organization-approved
for an organization-defined time period. planningto the
changes
policy.
system,AWS component, customers are responsible
or service, 4) Document for protecting
approvedthe changes to the
confidentiality,
system, component, integrity, and availability
or service and the potential of backup securityinformation
impacts at of
storage locations.
such changes, and 5) Track security flaws and flaw resolution within
the system, component, or service and report findings to organization-
defined personnel.
N/A
N/A
N/A
N/A
N/A
N/A
AWS customers are responsible for conducting security assessments

for
AWS their systems.are
customers Within responsiblethis context and in accordance
for developing a continuous with their
security
monitoring assessment
strategy and
and authorization
implementing policy,
a continuous AWS customers monitoringplan are
AWS
responsiblecustomers for: 1) areDeveloping
responsible a for developing
security assessment a contingency
plan for
program
their system in accordance
that: 1) Identifies with their security
essential assessment
missions and and that
business authorization
AWS
describes customers
policy thatand the security
defines: are responsible
controls
1) Metrics and for developing
control
to be monitored, an
enhancements Incident
2) Frequencies underResponse
functions
Plan (IRP)
assessment, that: associated
assessment contingency
procedures usedrequirements,
to determine Providesfor the
2)effectiveness,
AWS
monitoring
recovery customers are
and reporting,
objectives, responsible
restoration for
and 3)priorities, developing
Personneland or rolesa security
metrics, responsible plan
3) Addresses for
fortheir
1) Provides
assessment
systems
conducting and that: their
environment,
1) Isorganization
consistent
receiving the with
assessment
with
continuous a
the roadmap team,
organization’s
monitoring for
and implementing
the assessment
enterprise
analysis information. its roles
N/A
contingency
incident response roles, responsibilities,
capability, 2) Describes and assigned
the individuals
structure andsystem with and
and responsibilities,
architecture,
Pursuant to this 2) Explicitly 2) Assessing
continuous defines
monitoring security
the controls
authorization
program, AWS in their
boundary
customers for the are
contact
organization
its information,
environment of the 4) Addresses
incident
of Establishing
operation response
at an maintaining
capability, essential
3) information
Provides missions a high- and
system,
responsible
business 3)functions
Describes
for: 1) the operational
despite an andorganization-defined
information context
configuring of the
system monitoring
disruption,
frequencyfor to
system
defined
level
determine
in termsapproach
ofthe for how
extent
missions to and
and the
which incident
the controls response are4)capability
implemented fits
theinto the
correctly,
metrics,
compromise,
overall
operating
2) Monitoring
organization,
as or failure,
intended, 4) and 5)business
Meets
conducting
Addresses
the
producing
processes,
unique the
assessments
eventual, requirements
desired
Provides
fulloutcome
as organization-
information
of the
with
securitysystem
respect
categorization
defined frequencies,
restoration withoutof the information
3) Conducting
deterioration system
of theongoing including
security security supporting
controloriginally
organization,
to meeting5)established
rationale,
assessments, which
Describes
4) Conductingrelatesecurity
the to mission,
requirements,
operational
ongoing size,
environment
security 3)safeguards
structure,
status Producing and
for the
monitoring functions,
a security
information
of 5)
their
planned
Defines andreport
reportableimplemented, incidents, and 6) Is
thereviewed andfor approved by and
assessment
system and
organization-defined relationships that metrics,with6)
documents
personnel oror
5) Provides results
connections
Correlating
roles
metricsof
to the
and
in accordance other
analyzingmeasuring
assessment,
information,
with the the6)
security- the 4)
incident
Providing
Provides
related response
an theoverview
information results capability
of ofthe
generated within
thesecurity
security the organization,
control
by assessments requirements assessment for7)the
and monitoring, Defines
to system,
their 5) 7)
contingency
resources andplanning
management policy. support needed to effectively
Identifies
Taking any
appropriate relevant individuals
overlays,
response actionsiforapplicable,
roles.
to address 8)the resultsmaintain
Describes ofthe thesecurity and
mature an
controls inincident
place orresponse
planned capability,
for meeting and
and8)6)
those IsReporting
reviewedthe
requirements, and include
analysis
AWS
AWS customers of
customers security-related
are
are responsible
responsible information,
for defining
forpersonnel
distributing information
copies of sharing thetosecurity
aapproved
rationale
status of theirby organization-defined
forplanthe tailoring
organization decisions,
and the isand 9) or roles.
Iscontingency
reviewed toand approved
circumstances
contingency
AWS customers where to
are user discretion
responsible forinformation
required.
developing key system
aAWScontinuous the
customerspersonnel are
by the authorizing
responsible
(identified byforname official
facilitating personnel
and/or or
bydesignated
or roles
information
role) atrepresentative
sharing the organization-defined
by enabling priorauthorized
to plan
monitoring
AWS customers
implementation.
frequency.
strategy and
arewhether implementing
responsible for and
for: organizational
1) aMonitoring
continuous
distributing copies their elements.
monitoring
ofinformation
the IRP to
users
program to
Contingency determine
indetect:planning
accordance activities
with andaccess
their mustauthorizations
security bepersonnel
coordinated
assessment assignedwith
and to the
incident
authorization
organization
system
N/A to defined incident
a) Attacks response
indicators ofon potential(identified attacks byinname
sharing
handling
policy partner
that activities.
defines: match The the
1) Metrics access
contingency to restrictions
plan
be monitored, mustIRP bethe information.
reviewed
2) objectives
Frequencies atand AWS
aforb)and
and/or
accordance
In role)
addition, and organizational
with
AWS organization-defined
customers elements. The
monitoring must be review
customers
N/A
frequency are responsible forare responsible
implementing forpolicy
automateddistributing mechanisms copies ofor
monitoring
updated
Unauthorized
the security at defined
aandfrequency
planlocal, innetwork,
reporting,
tototheir
thedefined
contingency
and
3)
and the planning
byPersonnel
remote incident or
personnel
roles
response
connections; and
responsible updated
policy
2)sharing
or roles, Identifying toforto
reviewing
manual
address
conducting processes
changes and to assist users
organization, in
formaking system, information
ora analysis
environment of during
AWS
address
the customers
unauthorized
security
decisions based usereceiving
plan are
system/organizational
on oftheir
at responsible
the continuous
information
access
changes
control
monitoring
developing
systemorfrequencies,
policy.
problems
through contingency
encountered information.
organization-
and updating plan for
the
operation
Pursuant
their system toand this problems
continuous encountered
monitoring duringprogram, implementation,
AWS customers execution, are
plan
defined
security
or testing. planthat:
N/A implementation,
techniques to address1)and Identifies
execution,
methods;
changes essential
or testing.
3)the
to missions
Deploying
informationChanges andtobusiness
monitoring the IRP
devices: must a)be
responsible
functions
communicated
Strategically and for: to1)
associated
within Establishing contingency
the information and configuring
requirements,
systemincident monitoring
response
to identified
collect 2)organization-
Provides for defined
personnel
system/environment
AWS customers are of operation
responsible or providing
for problems an incident during
response plan
metrics,
recovery
(identified
determined 2) Monitoring
objectives,
by name
essential and/or and role)
restoration
information conducting
priorities,
and
and b)assessments
and
organizational
At ad hocmetrics, as organization-
3) Addresses
elements.
locations within
implementation
support
AWS resource,
customers or
are security
which control
is integral
responsible for assessments.
to the organizational
communicating
developing AWS customers
incident arethe
defined
contingency
system
responsible
response
frequencies,
to track roles,
for
capability, protecting
3) Conducting
responsibilities,
specific that typestheirofadvice
offers
ongoing
and
transactions
security and
assigned
plan of an
security
from
assistance
Incident
interest contingency
control
individuals
unauthorized
to to their
users
Response
with plan
of the
changes
Plan
AWS (IRP)
assessments,
contact
organization; to organization-defined
that:
information,
customers 4) Conducting
arefor
4) Protecting 4) Addresses
responsible ongoing personnelsecurity
formaintaining
information protecting
identifying
obtainedand for
status
essential
the
the protecting
IRP
from monitoring
information the
missions and
from
intrusion- of their
disclosure
information
contingency
1) Provides ortheir
modification.
system
plan from
organization the an handling
unauthorized with and reporting
disclosure
aaccess,
roadmap forand of security
modification.
implementing incidents.
its
business
unauthorized
involved
monitoring functions
in tools
an disclosure
information
from metrics,
despite andsystem
unauthorized 5) Correlating
information
modification.contamination and
system analyzing
disruption,
modification,because security-
AWS
and does
deletion;
N/A
incident response capability, 2)
related
compromise,
not manage information
5) Heightening orthe
customer failure,generated
level data 5)ofor byDescribes
Addresses assessments
determine
information itsthe
eventual,
system structure
andfull
categorization.monitoring,andAWS
information
monitoring activity5)system
has no
AWS
Taking customers
organization
restoration
insight
whenever appropriate
into without
the
there isare
of sensitivity
the responsible
anincident
response
deterioration
indication ofresponse
actionsfor
customer
of testing
tocapability,
ofincreased
the address
security
data their
riskthe
and contingency
3) Provides
to results
safeguards
must plan
athehigh-
oforiginally
consequently
organizational at an
level
analysis
planned
AWS
treat approach
all
operations of
and
customers
customer for
security-related
implemented,
and assets, are how
data frequency
the
responsible incident
as sensitive.
individuals, 6)using
information,
and Is
forother
As organization-defined
response
reviewed
testing and
such, the capability
6)and
only
organizations, Reporting
incidentapproved
a customer orfitsthetests
responseinto
by
the can Nation to
the
security
determine
overall
status
capability
determine
based on lawthe
oforganization,
their
for
whether effectiveness
organization
their
enforcement 4)
system
data Meets
personnel atof
andanthe
hasinformation,
been the
or plan
unique
roles
spilled and
information
in
on the
accordanceorganizational
requirementssystem
an Amazon
intelligence of
to
with
frequency
EC2
information, the
the the readiness
using
instance,or
N/A
to execute the plan. AWS customers are responsible for reviewing the
organization,
contingency
an Amazon
other credible which
planning
Elastic
sources relate
Blockpersonnel
policy.
tests to
to mission,
or
determine
Store (Amazon
of information; roles size,
at
the structure,
the
incident
EBS) volume,
6) Obtaining and
response
legal or functions,
an Amazon
opinion with5)
AWS
results
Defines customers
ofreportable andare
contingency responsible
plan testing
incidents, 6) forand
Provides developing, metricsdocumenting,
initiating corrective
for actions
frequency.
effectiveness
S3 object.
regard to information documenting
system the
monitoring results. activities in measuring
accordance the
with
maintaining,
when
incident needed.
response disseminating,
capability and
within implementing
the organization, aariskpersonnel 7)policies,
Defines security
AWS
applicablecustomers federalare laws,responsible
Executive forOrders,
distributing
assigning directives, copies designation
of the orthe
to all
policy
resources
contingency
positions
Upon along and
and
determining with
plan supporting
management
establishing
to organization-definedprocedures.
support
screening needed
criteria AWS
keytofor customers
effectively
contingency
individuals are
maintain
personnel
filling and
those
regulations;
AWS customers
responsible
and 7)
for arethat
Providing
reviewing
they have
responsible and
a spill
for
updating
withinpersonnel
screening
the policy
theirinformation
environment,
and procedures prior tosystem the
at a
mature
(identified
positions.
AWS
monitoring
granting anaccess
customer incident
Inby addition,
nameisare
information
to response
and/or
AWS
responsible
their bycapability,
customers
role)
for and
notifying
to organization-defined
systems and and
are
rescreening 8) Isorganization-defined
organizational
responsible
the reviewed
personnel
personnel elements.
for or and
reviewing
roles as to
according
AWS
frequency
approved customersdefined byresponsible
their for
organization. upon atermination of anincidentindividual's
Contingency
and
personnel
needed or by
revising or
employment:
in position
planning
roles
accordance and risk
activities
designations
isolating
with
conditions mustpersonnel
ancontaminated beatcoordinated
requiring orsystems
roles. with
frequency
rescreening defined
or system
frequency.
and at an in their
AWS
handling
personnel customers
components. activities.
security
organization-defined arepolicy.
Theresponsible
contingency
frequency. for: 1) plan Reviewing
must be reviewed and confirming at a
1)
AWSDisabling
ongoing
frequency customers information
operational
defined are responsible
need
inresponsible system
for current
the contingency access
for to theand
distributing
logical
planning individual
copies
physical
policy ofwho
and access
the
updated has been
IRP to
to
AWS
terminatedcustomers within arethe frequency for
defined developing
in their and documenting
personnel security
organization
authorizations
address
AWS
access changes
customers
agreements defined
to to information
are incident
their systems/facilities
response
organization, personnel
system, on or when(identified
individuals
environment byofname are
AWS
policy,
and/or
reassignedcustomers
2) and
role) arefor
Terminating/revoking
orandtransferred
responsible
organizational
their
responsibleto
systems
other
for
for:
any
elements.
eradicating
hosted
1) Establishing AWS.
the
authenticators/credentials
positions Thewithin
IRP the
information
must
In addition,
personnel
organization,
be review
from
AWS
securityand
2)
operation
the
customers
contaminated are problems
responsible
system encountered
orforsystem
ensuring during
component,
that implementation,
all ofidentifying
their personnel execution,
requirements
associated
AWS
updated
Initiatingcustomers with including
the
arebefore
atorganization-defined
acomponents
frequency security
individual,
responsible
defined 3) roles
for:
transfer
by the 1)and
Conducting or responsibilities
Implementing
incident an
reassignment exit
response interviewforother
a formal
actions
policy third-
that
to
sign
within
or testing.
systems
access agreements
or thatreceiving
have been accesssubsequently
to their system,
contaminated,at a
party
includes
sanctions
address
an providers,
aprocess
discussion
organization-defined 2)for
system/organizational Requiring
personnel third-party
or organization-defined
time-period, failing
changes (3)to providers
comply
orModifying
problemssecurity toencountered
with comply
topics,
established
access with and
4)
N/A
performing
recurring
personnel other
frequency
security organization-defined
defined
policies andbyorganizational
the actions
personnel
procedures in accordance
security
established policy withduring
and their
when
Retrieving
information
plan
authorization
AWS
incident
access customers
agreements
all
implementation,
response
security-related
security
as needed
are policies
execution,
to
responsible
policy.
have been and
correspond procedures
or
for
updated. testing.
with
communicating
Access any information
and
Changes changes
agreements to by
2) Notifyingthe
contingency
their
insystem-
IRP
operational
must must
beplan be
AWS
related customers
organization,
property, 3)to are responsible
Documenting
5) Retaining for:
personnel
access 1) Conducting
security
to incident
organizational an information
assessment
requirements, 4) of
communicated
need
changes
reviewed
risk
due
toperiodtoto
and
include
the reassignment
updated
theare
personnel
organization-defined or or roles
transfer,
personnel
at an organization-defined within
and and (4)an
of for
response
Notifying
protecting
frequency. personnelthe and
Requiring
information
AWS
time customers
(identified third-party
contingency by systems
when name alikelihood
providers
formerly
responsible
formal
and/or
personnel
and
employee
role) to
or
magnitude
and notify
controlled
for:roles1) by
Scanning
sanctions
organizational
within the harm
terminated
for
process
the
from is
elements.
time
the
individual,
vulnerabilities
initiated,
period defined in
to
AWS
andtheir
their
customers
unauthorized
personnel
6)information
include
in or plan
Notifying
identifying
personnel
access,
roles from
can ofthe use,
any
appropriate
system
security
unauthorized
perform
and
individual
traditional
disclosure,
personnel
personnel
hosted
policy.
disclosure
ofoverwrite
disruption,
transfers
applications
sanctioned theor
and
termination
and at
thein
modification.
practices
modification,
terminations
an within
organization-
reason
on
oforthird-
for thethe
AWS
Amazon customers
destruction EC2 of theirare
instances responsible
and
information Amazon for:
system 1)
EBS Identifying,
and volumes
the reporting,
information order to
it and
sanitize
party
frequency
defined personnel defined
frequency who in possess
and/ortheir organizational
personnel
randomly for in security credentials
policy. and/or badges
sanction.
AWS
correcting
the customers
environment, information are
as
or well
responsible
system
as flaws,
subsequently 2)accordance
protecting
Testing
terminate the with
IRP from
software their
and firmware
N/A
processes,
or who
unauthorizedhave
organization-definedstores,
information
disclosure
transmits,
process system
and
2)privileges
and Documenting
when
modification. newwithin risk anthe
vulnerabilities
Amazon
assessment
organization-potentially
EC2
results
updates
instance
in the system related
or delete to the
plan, flaw remediation
Amazon
security EBS for
assessment effectiveness
volume.report, Toordestroy
other and anpotential
Amazonside
organization- S3
defined
affecting timethe period, and
system/applications 5) Monitoring provider
are identified and compliance.
reported; 2) and
effects
object the
defined before customer
document, installation,
3)must Reviewing 3) Installing
delete therisk security-relevant
encryption
assessment key software
that controls
results at an access
Employing
firmware vulnerability
updates within scanning
an tools
organization-defined and techniques that promote
to it and then
organization-defined delete the Amazon
frequency, 4) object, whichtime
S3Disseminating will
risk period
break the
assessment of the key
interoperability
release amongand
of organization-defined
the updates, tools 4)and automated flaw
Incorporating partsremediation
of the vulnerability into the
and object
results to mapping. personnel or roles, and 5) Updating the
management process
organizational configuration by usingmanagement standards for: a) Enumerating platforms,
process.
risk assessment
software flaws, and at animproperorganization-defined
configurations, frequency
b) Formatting or whenever and there
AWS
are customers
significant are responsible
changes to the information for determining systemwhich orand of their AWS
environment of
making
RDS transparent
Specific (MySQL, checklists MariaDB, and test SQL procedures, c) Measuring
assets
operation contains
vulnerability (including spillage the or if the spillage
identification ofServer
extends
new threats and Postgres):
to their and on-premises AWS
Customers
assets, as well
vulnerabilities) areimpact;
responsible
as orfor other
3) Analyzing
conducting for identifying,
conditions
vulnerability
forensic
that may and reporting, scan and
remediation
impact
reports patching
the security
and their
activities stateinof
results
database from engines.security control
Theorganization’s assessments;
RDS service notifies 4) Remediating legitimate
accordance
the system. with their spillageAWS policies. customers through
vulnerabilities within organization-defined
AWS announcements and email announcements whenever a new response times in
accordance
version is available. with an organizational
The customer assessment will be ableof to risk;
go throughand 5) the Sharing
information
managementobtained console or from CLI thetovulnerability
update their particular scanning process RDS engine and
security
(Update control
options:assessments Update Nowwith organization-defined
or Update in the next maintenance personnel or
roles
N/A
window).to help eliminate similar vulnerabilities
The AWS Customer is responsible performing tests on in other information
systems
updated (i.e., systemic weaknesses or
RDS engine versions before deploying to their environment to deficiencies).
N/A
mitigate any potential performance issues.
N/A to conducting penetration testing or vulnerability scanning
Prior
activities,
RDS Specific AWS customers
(Oracle): AWS areCustomers
required toare request
responsibleauthorization for
through
identifying, following
the reporting, URL: and patching their database engines. The RDS
service notifies AWS customers through AWS announcements and
email announcements whenever a new RDS engine version is
RDS Specific (Postgres, MySQL,
available. Please note, RDS Oracle engines and patches has MariaDB, SQL Server, Aurora,
a vendor
Oracle): RDSRDS
dependency. Specific Oracle (Postgres,
updates MySQL, relies on MariaDB, the vendorSQL to merge Server, AWS
Aurora, Oracle):
customized patches AWS withCustomers
Oracle releases are responsible
to ensure for all meeting
functionality scanning is
requirements
kept. Once a merged on theirpatch databases in accordance
is created and validated, with organization-
AWS will make
defined
the engine frequency
version and/or available when for newcustomers.vulnerabilitiesThe customer have been will be able
identified.
to go through Also, theAWS management Customers are required
console or CLI to to update
remediate their legitimate
particular
findings
RDS engine within (Updatethe organization-defined
options: Update Now timeframe.
or Update in the next
maintenance window). The AWS Customer is responsible for
DynamoDBtests
performing Specific:on updated This service RDS (Oracle) is a fullyengine managed versionscloudbefore NoSQL
database service.
deploying to theirAWS environment Customers offload database
to mitigate any potential managementperformance tasks
such as hardware or software provisioning, setup and configuration,
issues.
software patching, operating a reliable, distributed database cluster, or
partitioning data
DynamoDB Specific:over multipleThis service instances
is a fully as you managed scale. cloud NoSQL
database service. AWS Customers offload database management taks
AWS customers are responsible for: 1) Approving and monitoring
nonlocal maintenance and diagnostic activities; 2) Allowing the use of
nonlocal maintenance and diagnostic tools in accordance with their
maintenance policy and as documented in their SSP; 3) Employing
strong authenticators in the establishment of nonlocal maintenance and
diagnostic sessions; 4) Maintaining records for nonlocal maintenance
and diagnostic activities; and 5) Terminating session and network
connections when nonlocal maintenance is completed.

maintaining, disseminating, and implementing an audit and
accountability policy along with supporting procedures. AWS
customers are responsible for reviewing and updating the policy and
procedures at a frequency defined by their organization.
More information on implementing logging with an AWS account is

available at https://aws.amazon.com/whitepapers/security-at-scale-
logging-in-aws/ and http://aws.amazon.com/cloudtrail/
AWS customers are responsible for defining auditing requirements,

verifying that their systems can perform such auditing, providing a
rationale for why the selected audit settings are adequate, and
implementing and audit solution that tracks events at a frequency
defined by their audit and accountability policy.

generate
AWS audit records
customers containingfor
are responsible information
allocating that
auditestablishes
record storagewhat
type of event
capacity occurred, with
in accordance whenthe theaudit
eventrecord
occurred, where the event
storage
AWS customers
occurred, are responsible event,fortheconfiguring theirrequirements
systems tothe
alert
defined
personnel inthe source
their auditof and theaccountability outcome
policy.of the event, and
identity
AWS ofasany
customersdefined in
individuals their
are responsible orauditforand
subjects accountability
associated
reviewing andwith policy inaudit
the event.
analyzing the
event ofatananaudit
records processing failure.frequency
organization-defined AWS customers are responsible
for indications of
AWS customers
for configuring are responsible
their systems for implementing
to take and configuring an
audit reduction and inappropriate
report generation oradditional
capability
actions
unusual activity
that: 1)
when
and
Supports
an audit
reporting on-
processing
AWS
these findingsfailure
customers to areoccurs based on
responsible
organization-defined forthe requirements
configuring
personnel theirdefined
systems
or roles into:
their
1)
in accordance
demand
Use and audit
auditinternal review,
accountability
system analysis,
clockspolicy. and reporting
to generate requirements
time stamps auditand
forsystems after-
records
with
AWS their
the-fact audit
customers and
are accountability
investigations responsible
of security forpolicy.
configuring
incidents and their
2) Does not to protect
alter the
and 2)information
audit Record timeand stamps
audit for audit
tools from records that can access,
unauthorized be mapped to
original
AWS content
customers
Coordinated or
aretime
Universal ordering
responsible
Time of
for
(UTC) audit records.their
configuring
or Greenwich Meansystems
Timeto(GMT)protect
modification,
against an and deletion.
individual (or process acting on behalf
and that
AWS meet
customers thearegranularity
responsible of time
for measurement
retaining auditofdefined
an individual)
records within
for the
a period
falsely
audit and
defined denying
their having
byaccountability
audit performed
and policy. actionspolicy
accountability as defined
to in their
provide audit and
support
AWS customers
accountability are responsible
policy. for configuring their systems to: 1)for
after-the-fact
Provide audit investigations
record generation of security incidents
capabilities for theand to meet events
auditable regulatory
N/A
and organizational information
defined in AU-2a for all systemretention
components requirements.
where audit capabilities
are deployed/required based on the audit and accountability policy, 2)
Allow organization-defined personnel or roles to select which auditable
events are to be audited by specific components, and 3) Generate audit
records for the events defined in AU-2d with the content defined in
N/A
AU-3.
N/A
N/A
N/A
N/A
enforce
AWS logical access
customers based on approved
are responsible authorizations
for configuring and in
their system to provide
accordance
only with their access andcontrol policy.
AWSessential
customers capabilities
are responsible to for
prohibit or restrict
establishing andthe use of
documenting
functions, ports, protocols,
usage customers
restrictions, and/or services asrequirements,
configuration/connection defined in their and
AWS
configuration are responsible
management policy.for establishing and documenting
implementation
usage guidance
restrictions, for each type of remote
configuration/connection access allowed
requirements, andandtoall
AWS customers
their systems are responsible
in guidance
accordance with for configuring
their access in their policy.
control systems AWS
implementation
interconnected systems to for wireless
enforce theiraccess
approvedaccordance
information with their
flow
N/A
customers
access are responsible
control policy. AWS for authorizing
customers areremote access
responsible fortooftheir
authorizing
policies.
systems This can
prior be accomplished through configuration Amazon
AWS
wireless
Virtual accesstoCloud
customers
Private toallowing
are
their such connections.
responsible
systems
(Amazon for establishing
prior
VPC) tonetwork
allowing usage restrictions
such connections.
Access Control Listsand
implementation
AWS
(ACL) customers guidance
for controlling for Voice
are responsible for over
inbound/outbound Internet
any Domain Protocol
traffic atName (VoIP)
System
the subnet (DNS)
level and
technologies
services
Amazon VPCand
they authorizing,
implement
security withinmonitoring,
groups their
for systems
controlling andtraffic
controlling
hosted on AWS.the use of
Within
AWS customers
VoIPcontext
within are responsible
theirpursuant
systems. for configuring theirat the
systemsinstance
to
this
level.
perform dataand
origin to their system
authentication andintegrity
communications
AWS customers
protection policy, are
AWSresponsible
customers forand
are
data
ensuring
responsible
verification
that information
for sources.
on
systems
configuring DNS
DNS resolution
collectively responses
providing name received from
resolution authoritative
services to their organization
AWS
to:
More customers
1) Provide are
onresponsible
additional
information for
data origin
configuring configuring
authentication
Amazon VPC is their
andsystems atto protect
integrity
available
are
the fault-tolerant
authenticity
verification ofand
artifacts have implemented
communications
along internal/external
sessions.
with the authoritative role
name resolution data
separation.
the system returns in response to external name/address resolution
rity.html.
queries and 2) Provide the means to indicate the security status of child
zones and (if the child supports secure resolution services) to enable
verification of a chain of trust among parent and child domains, when
operating as part of a distributed, hierarchical namespace.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AWS customers are responsible for: 1) Monitoring and controlling
communications
N/A at the external boundary of the system and at key
internal boundaries within the system, 2) Implementing subnetworks
for publicly accessible system components that are physically or
logically separated from internal organizational networks, and 3)
Connecting to external networks or information systems only through
managed interfaces consisting of boundary protection devices arranged
in accordance with organizational security architecture.
More information on securing an Amazon VPC is available at

http://docs.aws.amazon.com/Amazon VPC/latest/User
Guide/VPC_Security.html.
N/A
N/A
N/A
AWS customers are responsible for developing an information security
architecture
N/A for the information system that: 1) Describes the overall
philosophy, requirements, and approach to be taken with regard to
AWS customers
protecting are responsible
the confidentiality, for configuring
integrity, their systems
and availability of to protect
the availabilityinformation,
organizational of resources 2)byDescribes
allocatinghow
the information security
resources
architecture ispriority,
by quota,
integrated intoorand
other organization-defined
supports security
the enterprise architecture,
safeguard.
and 3) Describes any information security assumptions about and
dependencies on external services.
More information on configuring for fault tolerance and high
availability
AWS customersis available at
are responsible for reviewing and updating the
http://media.amazonwebservices.com/architecture
information security architecture at an organization-defined frequency
center/AWS_ac_ra_ftha_04.pdf.
to reflect updates in the enterprise architecture. Planned information
security architecture changes must be reflected in the security plan, the
security Concept of Operations (CONOPS), and organizational
Note:
Anomalies and Events DE.AE-1: A baseline of network · CIS CSC 1, 4, 6, 12, 13, 15, 16 AWS Best Practices, AWS Reference Architectures, AC-4 Several network fabrics exist at Amazon, each separated by boundary
(DE.AE): Anomalous operations and expected data flows · COBIT 5 DSS03.01 AWS Cloudwatch, CloudTrail, VPC Flowlogs, AWS protection devices that control the flow of information between fabrics.
activity is detected in a for users and systems is established · ISA 62443-2-1:2009 4.4.3.3 Config, AWS Organizations, AWS Firewall Manager, The flow of information between fabrics is established by approved
timely manner and the and managed · ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, AWS PrivateLink, AWS Systems Manager, AWS authorizations, which exist as ACL residing on these devices. ACLs are
potential impact of events A.13.1.1, A.13.1.2 OpsWorks, Amazon Macie, AWS Managed Services, defined, approved by appropriate Amazon’s Information Security team,
is understood. · NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, AWS IoT Defender and managed and deployed using AWS’s ACL-management tool.
SI-4 Approved firewall rule sets and access control lists between network
fabrics restrict the flow of information to specific information system
services. ACLs and rule sets are reviewed and approved and are
automatically pushed to boundary protection devices on a periodic basis
(at least every 24 hours) to ensure rule sets and access control lists are
up to date.
AWS implements least privilege throughout its infrastructure
components. AWS prohibits all ports and protocols that do not have a
specific business purpose. AWS follows a rigorous approach to minimal
implementation of only those features and functions that are essential to
use of the device. Network scanning is performed, and any unnecessary
ports or protocols in use are corrected.
CA-3 A. There are no system interconnections.

B. There are no system interconnections.
C. There are no system interconnections.
CM-2 AWS has established formal policies and procedures to provide

employees with a common baseline for information security standards
and guidance. The AWS Information Security Management System
(ISMS) policy establishes guidelines for protecting the confidentiality,
integrity, and availability of customers’ systems and content.
Maintaining customer trust and confidence is of the utmost importance
to AWS.
AWS works to comply with applicable federal, state, and local laws,
statutes, ordinances, and regulations concerning security, privacy, and
data protection of AWS Cloud services in order to minimize the risk of
accidental or unauthorized access or disclosure of customer content.
SI-4 AWS deploys monitoring devices throughout the environment to collect

critical information on unauthorized intrusion attempts, usage abuse,
and network and application bandwidth usage. Monitoring devices are
placed within the AWS environment to detect and monitor for:
• Usage (CPU, Processes, disk utilization, swap rates, and errors in
software generated loss)
AWS provides near real-time alerts when the AWS monitoring tools
show indications of compromise or potential compromise, based upon
threshold alarming mechanisms determined by AWS service and
Security teams.
External access to data stored in Amazon S3 is logged. The logs are
retained for at least 90 days and include relevant access request
information such as the data accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s
AWS CloudTrail bucket in Amazon S3. The logged requests provide
information about who made the request and under which CMK and
will also describe information about the AWS resource that was
protected through the use of the CMK. These log events are visible to
the customer after turning on AWS CloudTrail in their account.
DE.AE-2: Detected events are · CIS CSC 3, 6, 13, 15 AWS Best Practices, AWS Reference Architectures, AU-6 AWS deploys monitoring devices throughout the environment to collect
analyzed to understand attack · COBIT 5 DSS05.07 AWS Cloudwatch, CloudTrail, VPC Flowlogs, Amazon critical information on unauthorized intrusion attempts, usage abuse,
targets and methods · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, Athena, AWS Config, Amazon GuardDuty, Amazon S3, and network and application bandwidth usage. Monitoring devices are
4.3.4.5.8 Amazon Machine Learning, Amazon SageMaker, placed within the AWS environment to detect and monitor for:
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, Amazon Macie, AWS Managed Services, AWS Systems • Port scanning attacks
SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2 Manager • Usage (CPU, Processes, disk utilization, swap rates, and errors in
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, software generated loss)
A.16.1.4 • Application performance metrics
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, • Unauthorized connection attempts
SI-4 AWS provides near real-time alerts when the AWS monitoring tools
Security teams.
CA-7 AWS conducts monthly monitoring of its security posture through a

continuous risk assessment and monitoring process. Additionally,
annual security assessments are conducted by an accredited Third-Party
Assessment Organization (3PAO) to validate that implemented security
controls continue to be effective. Security assessments that include a
risk analysis and a Plan of Action and Milestones (POA&M) are
submitted to authorizing officials for review and approval.
IR-4 AWS will notify customers of a security breach in accordance with the
terms outlined in the service agreement with AWS. AWS’s commitment
to all AWS customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any
customer data (i.e., any personal data that is uploaded to a customer’s
AWS account) on AWS’s equipment or in AWS’s facilities and this
unlawful or unauthorized access results in loss, disclosure, or alteration
of customer data, AWS will promptly notify the customer and take
reasonable steps to reduce the effects of this security incident.
AWS defines, administers, and monitors security for the underlying
cloud infrastructure (i.e., the hardware, the facilities housing the
hardware, and the network infrastructure).
Because AWS manages the infrastructure and the security controls that
apply to it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would
be unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control
and this incident results in loss, disclosure, or alteration of customer
content, AWS will promptly notify the customer. AWS does this
regardless of whether the customer's content is sensitive or not, because
AWS does not know what the customer content is and protects all
customer content in the same robust way.
Security teams.
DE.AE-3: Event data are · CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, AWS Best Practices, AWS Reference Architectures, AU-6 AWS deploys monitoring devices throughout the environment to collect
aggregated and correlated from 16 AWS Cloudwatch, CloudWatch Logs, CloudTrail, VPC critical information on unauthorized intrusion attempts, usage abuse,
multiple sources and sensors · COBIT 5 BAI08.02 Flowlogs, Amazon GuardDuty, Amazon S3, Amazon and network and application bandwidth usage. Monitoring devices are
· ISA 62443-3-3:2013 SR 6.1 Athena, AWS Systems Manager, AWS Managed placed within the AWS environment to detect and monitor for:
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.7 Services, AWS IoT Device Defender, Amazon Macie • Port scanning attacks
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, • Usage (CPU, Processes, disk utilization, swap rates, and errors in
IR-5, IR-8, SI-4 software generated loss)
Security teams.

IR-8 AWS has implemented a formal, documented incident response policy

and program. The policy addresses purpose, scope, roles,
responsibilities, and management commitment.
AWS uses a three-phased approach to manage incidents:
1. Activation and Notification Phase – Incidents for AWS begin with
the detection of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational
awareness capability; most issues are rapidly detected from 24x7x365
monitoring and alarming of real time metrics and service dashboards.
The majority of incidents are detected in this manner. AWS uses early
indicator alarms to proactively identify issues that may ultimately
impact customers.
If the event meets incident criteria, the relevant on-call support engineer
uses AWS’s event management tool system to start an engagement and
page relevant program resolvers (e.g., AWS Security). The resolvers
will perform an analysis of the incident to determine if additional
resolvers should be engaged and to determine the approximate root
cause.
2. Recovery Phase – The relevant resolvers will perform break fix to
address the incident. After addressing troubleshooting, break fix and
affected components, the call leader will assign follow-up
documentation and follow-up actions and end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery
phase complete after the relevant fix activities have been addressed. The
post mortem and deep root cause analysis of the incident will be
assigned to the relevant team. The results of the post mortem will be
reviewed by relevant senior management and actions and captured in a
Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS
conducts incident response testing. This testing provides excellent
coverage for the discovery of previously unknown defects and failure
modes. In addition, it allows the AWS Security and service teams to test
Security teams.
DE.AE-4: Impact of events is · CIS CSC 4, 6 AWS Best Practices, AWS Reference Architectures, CP-2 The AWS Business Continuity policy lays out the guidelines used to
determined · COBIT 5 APO12.06, DSS03.01 AWS CloudFormation, AWS Cloudwatch, CloudTrail, implement procedures to respond to a serious outage or degradation of
· ISO/IEC 27001:2013 A.16.1.4 VPC Flowlogs, AWS Config, AWS Organizations, AWS AWS services, including the recovery model and its implications on the
· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI- Firewall Manager, AWS Systems Manager, AWS business continuity plan.
4 OpsWorks, Amazon Macie, AWS Managed Services,
AWS IoT Defender, Amazon GuardDuty, Amazon
Machine Learning, Amazon SageMaker, AWS WAF, Refer to the following AWS Audit Reports for additional details: PCI
AWS Shield 3.2, ISO 27001, ISO 27017, NIST 800-53, SOC 2 COMMON
CRITERIA
RA-3 AWS performs a continuous risk assessment process to identify,

evaluate and mitigate risks across the company. The process involves
developing and implementing risk treatment plans to mitigate risks as
necessary. The AWS risk management team monitors and escalates
risks on a continuous basis, performing risk assessments on newly
implemented controls at least every six months.

Security teams.
DE.AE-5: Incident alert thresholds · CIS CSC 6, 19 AWS Best Practices, AWS Reference Architectures, IR-4 AWS will notify customers of a security breach in accordance with the
are established · COBIT 5 APO12.06, DSS03.01 AWS Cloudwatch, AWS Config, CloudTrail, VPC terms outlined in the service agreement with AWS. AWS’s commitment
· ISA 62443-2-1:2009 4.2.3.10 Flowlogs, Amazon GuardDuty, AWS Trusted Advisor, to all AWS customers is as follows:
· ISO/IEC 27001:2013 A.16.1.4 AWS OpsWorks, AWS Managed Services, AWS IoT If AWS becomes aware of any unlawful or unauthorized access to any
· NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8 Defender, AWS IoT Device Management customer data (i.e., any personal data that is uploaded to a customer’s
IR-8 AWS has implemented a formal, documented incident response policy

and program. The policy addresses purpose, scope, roles,
responsibilities, and management commitment.
1. Activation and Notification Phase – Incidents for AWS begin with
the detection of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational
awareness capability; most issues are rapidly detected from 24x7x365
monitoring and alarming of real time metrics and service dashboards.
The majority of incidents are detected in this manner. AWS uses early
indicator alarms to proactively identify issues that may ultimately
impact customers.
If the event meets incident criteria, the relevant on-call support engineer
uses AWS’s event management tool system to start an engagement and
page relevant program resolvers (e.g., AWS Security). The resolvers
will perform an analysis of the incident to determine if additional
resolvers should be engaged and to determine the approximate root
cause.
2. Recovery Phase – The relevant resolvers will perform break fix to
address the incident. After addressing troubleshooting, break fix and
affected components, the call leader will assign follow-up
documentation and follow-up actions and end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery
phase complete after the relevant fix activities have been addressed. The
post mortem and deep root cause analysis of the incident will be
assigned to the relevant team. The results of the post mortem will be
reviewed by relevant senior management and actions and captured in a
Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS
conducts incident response testing. This testing provides excellent
coverage for the discovery of previously unknown defects and failure
modes. In addition, it allows the AWS Security and service teams to test
Security Continuous DE.CM-1: The network is · CIS CSC 1, 7, 8, 12, 13, 15, 16 AWS Best Practices, AWS Reference Architectures, AC-2 #N/A
Monitoring (DE.CM): monitored to detect potential · COBIT 5 DSS01.03, DSS03.05, DSS05.07 AWS Cloudwatch, AWS CloudTrail, VPC Flowlogs,
The information system cybersecurity events · ISA 62443-3-3:2013 SR 6.2 Amazon Athena, AWS Config, Amazon GuardDuty,
and assets are monitored · NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, Amazon S3, AWS WAF, Amazon Machine Learning,
at discrete intervals to CM-3, SC-5, SC-7, SI-4 Amazon SageMaker, AWS Managed Services, Amazon
identify cybersecurity Macie, AWS IoT Defender, AWS Shield, Amazon SNS
events and verify the
effectiveness of
protective measures.
AU-12 AWS deploys monitoring devices throughout the environment to collect

Security teams.

CM-3 AWS applies a systematic approach to managing change to ensure that

all changes are reviewed, tested, and approved. The AWS change
management approach requires that the following steps be complete
before a change is deployed:
1. Document and communicate the change via the appropriate AWS
change management tool.
2. Plan implementation of the change and rollback procedures to
minimize disruption.
3. Test the change in a logically segregated, non-production
environment.
4. Complete a peer review of the change with a focus on business
impact and technical rigor. The review should include a code review.
5. Attain approval for the change by an authorized individual.
In order to validate that changes follow the standard change
management procedures, all changes to the AWS environment are
reviewed on at least a monthly basis. An audit trail of the changes is
maintained for a least one year. AWS maintains processes to detect
unauthorized changes made to the environment. Any exceptions are
analyzed to determine the root cause. Appropriate actions are taken to
bring the change into compliance or roll back the change, if necessary.
Actions are then taken to address and remediate the process or people
issue.
SC-5 AWS operates, manages, and controls the infrastructure components,
from the host operating system and virtualization layer down to the
physical security of the facilities in which the services operate. AWS
endpoints are tested as part of AWS compliance vulnerability scans.
AWS Cloud services are managed in a manner that preserves their
confidentiality, integrity, and availability. AWS has implemented secure
software development procedures that are followed to ensure that
appropriate security controls are incorporated into the application
design. As part of the application design process, new applications must
participate in an AWS Security review, which includes registering the
application, initiating application risk classification, participating in
architecture review and threat modeling, performing code review, and
performing a penetration test.
SC-7 Several network fabrics exist at Amazon, each separated by boundary

protection devices that control the flow of information between fabrics.
The flow of information between fabrics is established by approved
authorizations, which exist as ACL residing on these devices. ACLs are
defined, approved by appropriate Amazon’s Information Security team,
and managed and deployed using AWS’s ACL-management tool.
Approved firewall rule sets and access control lists between network
fabrics restrict the flow of information to specific information system
services. ACLs and rule sets are reviewed and approved and are
automatically pushed to boundary protection devices on a periodic basis
(at least every 24 hours) to ensure rule sets and access control lists are
up to date.
AWS implements least privilege throughout its infrastructure
components. AWS prohibits all ports and protocols that do not have a
specific business purpose. AWS follows a rigorous approach to minimal
implementation of only those features and functions that are essential to
use of the device. Network scanning is performed, and any unnecessary
ports or protocols in use are corrected.

Security teams.
DE.CM-2: The physical · COBIT 5 DSS01.04, DSS01.05 AWS Artifact CA-7 AWS conducts monthly monitoring of its security posture through a
environment is monitored to detect · ISA 62443-2-1:2009 4.3.3.3.8 continuous risk assessment and monitoring process. Additionally,
potential cybersecurity events · ISO/IEC 27001:2013 A.11.1.1, A.11.1.2 annual security assessments are conducted by an accredited Third-Party
· NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, Assessment Organization (3PAO) to validate that implemented security
PE-20 controls continue to be effective. Security assessments that include a
PE-20 N/A
PE-3 Physical access to all AWS data centers housing IT infrastructure
components is restricted to authorized data center employees, vendors,
and contractors who require access in order to execute their jobs.
Access to facilities is only permitted at controlled access points that
require multi-factor authentication designed to prevent tailgating and to
ensure that only authorized individuals enter an AWS data center. On a
quarterly basis, access lists and authorization credentials of personnel
with access to AWS data centers are reviewed by the respective data
center Area Access Managers (AAM).
All entrances to AWS data centers, including the main entrance, the
loading dock, and any roof doors/hatches, are secured with intrusion
detection devices that sound alarms if the door is forced open or held
open.
Trained security guards are stationed at the building entrance 24/7. If a
door or cage within a data center has a malfunctioning card reader or
PIN pad and cannot be secured electronically, a security guard is posted
at the door until it can be repaired.
Physical access points to server locations are recorded by closed circuit

television camera (CCTV). Images are retained for 90 days, unless
limited to 30 days by legal or contractual obligations.

open.
DE.CM-3: Personnel activity is · CIS CSC 5, 7, 14, 16 AWS Artifact, AWS Best Practices, AWS Reference AC-2 #N/A
monitored to detect potential · COBIT 5 DSS05.07 Architectures, AWS CloudTrail, AWS CloudWatch,
cybersecurity events · ISA 62443-3-3:2013 SR 6.2 Amazon GuardDuty, AWS Managed Services, Amazon
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3 Macie, AWS IAM
· NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-
13, CA-7, CM-10, CM-11
AU-12 AWS deploys monitoring devices throughout the environment to collect
Security teams.
AU-13 N/A
CM-10 AWS maintains a systematic approach, to planning and developing new

services for the AWS environment, to ensure the quality and security
requirements are met with each release. AWS’ strategy for the design
and development of services is to clearly define services in terms of
customer use cases, service performance, marketing and distribution
requirements, production and testing, and legal and regulatory
requirements. The design of all new services or any significant changes
to current services follow secure software development practices and
are controlled through a project management system with multi-
disciplinary participation. Requirements and service specifications are
established during service development, taking into account legal and
regulatory requirements, customer contractual commitments, and
requirements to meet the confidentiality, integrity and availability of the
service. Service reviews are completed as part of the development
process. Prior to launch, each of the following requirements must be
complete:
• Security Risk Assessment

• Threat modeling
• Security design reviews
• Secure code reviews
• Security testing
• Vulnerability/penetration testing
AWS implements open source software or custom code within its

services. All open source software to include binary
or machine-executable code from third-parties is reviewed and
approved by the Open Source Group prior to
implementation, and has source code that is publicly accessible. AWS
service teams are prohibited from implementing code from third parties
unless it has been approved through the open source review. All code
developed by AWS is available for review by the applicable service
team, as well as AWS Security. By its nature, open source code is
available for review by the Open Source Group prior to granting
CM-11 AWS operates, manages, and controls the infrastructure components,
from the host operating system and virtualization layer down to the
physical security of the facilities in which the services operate. AWS
endpoints are tested as part of AWS compliance vulnerability scans.
AWS Cloud services are managed in a manner that preserves their
confidentiality, integrity, and availability. AWS has implemented secure
software development procedures that are followed to ensure that
appropriate security controls are incorporated into the application
design. As part of the application design process, new applications must
participate in an AWS Security review, which includes registering the
application, initiating application risk classification, participating in
architecture review and threat modeling, performing code review, and
performing a penetration test.
DE.CM-4: Malicious code is · CIS CSC 4, 7, 8, 12 AWS Best Practices, AWS Reference Architectures, SI-3 Amazon assets (e.g., laptops) are configured with anti-virus software
detected · COBIT 5 DSS05.01 AWS Config, AWS Cloudwatch, CloudTrail, VPC that includes email filtering and malware detection.
· ISA 62443-2-1:2009 4.3.4.3.8 Flowlogs, AWS CodePipeline, Amazon Inspector, AWS
· ISA 62443-3-3:2013 SR 3.2 SDKs, AWS X-Ray, AWS Managed Services, Customer
· ISO/IEC 27001:2013 A.12.2.1 Responsibility
· NIST SP 800-53 Rev. 4 SI-3, SI-8
SI-8 Amazon assets (e.g., laptops) are configured with anti-virus software
that includes email filtering and malware detection.
DE.CM-5: Unauthorized mobile · CIS CSC 7, 8 AWS Artifact, AWS Best Practices, AWS Reference SC-18 AWS has defined JavaScript as the only acceptable mobile code that is
code is detected · COBIT 5 DSS05.01 Architectures, Amazon Inspector, AWS SDKs, AWS used within the system. JavaScript is used to implement certain features
· ISA 62443-3-3:2013 SR 2.4 CodeStar, AWS X-Ray, AWS CodePipeline, AWS within the IAM service. Other forms of mobile code are not approved
· ISO/IEC 27001:2013 A.12.5.1, A.12.6.2 Config, AWS OpsWork, AWS Managed Services by AWS.
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44
SC-44 N/A
Security teams.
DE.CM-6: External service · COBIT 5 APO07.06, APO10.05 AWS Artifact, AWS Best Practices, AWS Reference CA-7 AWS conducts monthly monitoring of its security posture through a
provider activity is monitored to · ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 Architectures, AWS CloudTrail, VPC Flow Logs, continuous risk assessment and monitoring process. Additionally,
detect potential cybersecurity · NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, Amazon Macie, Amazon GuardDuty, AWS Managed annual security assessments are conducted by an accredited Third-Party
events SA-9, SI-4 Services Assessment Organization (3PAO) to validate that implemented security
PS-7 AWS creates and maintains written agreements with third parties (e.g.,
contractors or vendors) in accordance with the work or service to be
provided (e.g., network services agreement, service delivery agreement,
or information exchange agreement) and implements appropriate
relationship management mechanisms in line with their relationship to
the business. Agreements cover, at a minimum, the following:
• Legal and regulatory requirements applicable to AWS
• User awareness of information security responsibilities and issues
• Arrangements for reporting, notification, and investigation of
information security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational
Level Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective
[RTO]), in accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright
assignment of AWS
SA-4 AWS maintains a systematic approach to planning and developing new

services for the AWS environment to ensure that quality and security
requirements are met with each release. AWS’s strategy for the design
and development of services is to clearly define services in terms of
customer use cases, service performance, marketing and distribution
requirements, production and testing, and legal and regulatory
requirements. The design of all new services or any significant changes
to current services are controlled through a project management system
with multi-disciplinary participation. Requirements and service
specifications are established during service development, taking into
account legal and regulatory requirements, customer contractual
commitments, and requirements to meet the confidentiality, integrity,
and availability of the service. Service reviews are completed as part of
the development process. Prior to launch, each of the following
requirements must be complete:
• Security risk assessment
• Threat modeling
• Security design reviews
• Secure code reviews
• Security testing
• Vulnerability/penetration testing
SA-9 AWS creates and maintains written agreements with third parties (e.g.,
contractors or vendors) in accordance with the work or service to be
provided (e.g., network services agreement, service delivery agreement,
or information exchange agreement) and implements appropriate
relationship management mechanisms in line with their relationship to
the business. Agreements cover, at a minimum, the following:
• Legal and regulatory requirements applicable to AWS
• User awareness of information security responsibilities and issues
• Arrangements for reporting, notification, and investigation of
information security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational
Level Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective
[RTO]), in accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright
assignment of AWS

Security teams.
DE.CM-7: Monitoring for · CIS CSC 1, 2, 3, 5, 9, 12, 13, 15, 16 AWS Artifact, AWS Best Practices, AWS Reference AU-12 AWS deploys monitoring devices throughout the environment to collect
unauthorized personnel, · COBIT 5 DSS05.02, DSS05.05 Architectures, AWS Cloudwatch, CloudTrail, VPC critical information on unauthorized intrusion attempts, usage abuse,
connections, devices, and software · ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, Flowlogs, Amazon Athena, AWS Config, Amazon and network and application bandwidth usage. Monitoring devices are
is performed A.15.2.1 GuardDuty, Amazon S3, AWS WAF, Amazon Machine placed within the AWS environment to detect and monitor for:
· NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, Learning, AWS Managed Services, AWS OpsWorks, • Port scanning attacks
CM-8, PE-3, PE-6, PE-20, SI-4 AWS Systems Manager, AWS Organizations, Amazon • Usage (CPU, Processes, disk utilization, swap rates, and errors in
Inspector, AWS Firewall Manager software generated loss)
Security teams.

CM-3 AWS applies a systematic approach to managing change to ensure that

all changes are reviewed, tested, and approved. The AWS change
management approach requires that the following steps be complete
before a change is deployed:
1. Document and communicate the change via the appropriate AWS
change management tool.
2. Plan implementation of the change and rollback procedures to
minimize disruption.
3. Test the change in a logically segregated, non-production
environment.
4. Complete a peer review of the change with a focus on business
impact and technical rigor. The review should include a code review.
5. Attain approval for the change by an authorized individual.
In order to validate that changes follow the standard change
management procedures, all changes to the AWS environment are
reviewed on at least a monthly basis. An audit trail of the changes is
maintained for a least one year. AWS maintains processes to detect
unauthorized changes made to the environment. Any exceptions are
analyzed to determine the root cause. Appropriate actions are taken to
bring the change into compliance or roll back the change, if necessary.
Actions are then taken to address and remediate the process or people
issue.
CM-8 In order to ensure asset management and inventory maintenance
procedures are properly executed, AWS assets are assigned an owner
and are tracked and monitored with AWS proprietary inventory
management tools. AWS asset owner maintenance procedures are
carried out by using a proprietary tool with specified checks that must
be completed according to the documented maintenance schedule.
AWS has developed and documented an inventory of systems and
devices within the Authorization Boundary.
AWS has developed and documents an inventory of the AWS
Authorization Boundaries for Govcloud and East West separately. For
continuous monitoring activities, AWS provides a system inventory to
our FedRAMP accrediated 3PAO for validation on a monthly basis.
Once validated, this list is provided to our Authorizing Official(s).
AWS provides an inventory to our FedRAMP accredited 3PAO for
validation and as part of AWS’ security assessment and on a monthly
basis, supports continuous monitoring requirements. Additionally,
AWS' inventory is validated by our 3PAO and provided to our
Authorizing Official(s) on a monthly basis.
PE-20 N/A
open.


open.

Security teams.
DE.CM-8: Vulnerability scans are · CIS CSC 4, 20 AWS Artifact, AWS Best Practices, AWS Reference RA-5 AWS Security notifies and coordinates with the appropriate service
performed · COBIT 5 BAI03.10, DSS05.01 Architectures, Amazon Inspector, Amazon RDS, teams when conducting security-related activities within the system
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 Amazon Aurora, Amazon Dynamo DB, AWS Managed boundary. Activities include vulnerability scanning, contingency
· ISO/IEC 27001:2013 A.12.6.1 Services testing, and incident response exercises. AWS performs external
· NIST SP 800-53 Rev. 4 RA-5 vulnerability assessments at least quarterly, and identified issues are
investigated and tracked to resolution. Additionally, AWS performs
unannounced penetration tests by engaging independent third parties to
AWS Security teams also subscribe to newsfeeds for applicable vendor
flaws and proactively monitor vendors’ websites and other relevant
outlets for new patches. AWS customers also have the ability to report
issues to AWS via the AWS Vulnerability Reporting website at
http://aws.amazon.com/security/vulnerability-reporting/.
Detection Processes DE.DP-1: Roles and · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CA-2 The AWS Compliance Assessment Team (CAT) maintains a
(DE.DP): Detection responsibilities for detection are · COBIT 5 APO01.02, DSS05.01, DSS06.03 Architectures, AWS Managed Services documented audit schedule of internal and external assessments to
processes and procedures well defined to ensure · ISA 62443-2-1:2009 4.4.3.1 ensure implementation and operating effectiveness of the AWS control
are maintained and tested accountability · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 environment to meet business, regulatory, and contractual objectives.
to ensure timely and · NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14 The needs and expectations of internal and external parties are
adequate awareness of considered throughout the development, implementation, and auditing
anomalous events. of the AWS control environment. Parties include, but are not limited to:
 AWS customers, including customers with a contractual interest and
potential customers.
 External parties to AWS, including regulatory bodies such as the
external auditors and certifying agents.
 Internal parties such as AWS services and infrastructure teams,
security, legal, and overarching administrative and corporate teams.

PM-14 N/A
DE.DP-2: Detection activities · COBIT 5 DSS06.01, MEA03.03, MEA03.04 AWS Artifact, AWS Best Practices, AWS Reference AC-25 N/A
comply with all applicable · ISA 62443-2-1:2009 4.4.3.2
requirements · ISO/IEC 27001:2013 A.18.1.4, A.18.2.2,
A.18.2.3
· NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7,
SA-18, SI-4, PM-14
DE.DP-2: Detection activities · COBIT 5 DSS06.01, MEA03.03, MEA03.04 AWS Artifact, AWS Best Practices, AWS Reference
comply with all applicable · ISA 62443-2-1:2009 4.4.3.2 CA-2 The AWS Compliance Assessment Team (CAT) maintains a
requirements · ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, documented audit schedule of internal and external assessments to
A.18.2.3 ensure implementation and operating effectiveness of the AWS control
· NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, environment to meet business, regulatory, and contractual objectives.
SA-18, SI-4, PM-14 The needs and expectations of internal and external parties are
considered throughout the development, implementation, and auditing
of the AWS control environment. Parties include, but are not limited to:

PM-14 N/A
SA-18 N/A
Security teams.
DE.DP-3: Detection processes are · COBIT 5 APO13.02, DSS05.02 AWS Artifact, AWS Best Practices, AWS Reference CA-2 The AWS Compliance Assessment Team (CAT) maintains a
tested · ISA 62443-2-1:2009 4.4.3.2 documented audit schedule of internal and external assessments to
· ISA 62443-3-3:2013 SR 3.3 ensure implementation and operating effectiveness of the AWS control
· ISO/IEC 27001:2013 A.14.2.8 environment to meet business, regulatory, and contractual objectives.
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, The needs and expectations of internal and external parties are
SI-3, SI-4, PM-14 considered throughout the development, implementation, and auditing


open.

PM-14 N/A
SI-3 Amazon assets (e.g., laptops) are configured with anti-virus software
that includes email filtering and malware detection.
Security teams.
DE.DP-4: Event detection · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference, AU-6 AWS deploys monitoring devices throughout the environment to collect
information is communicated to · COBIT 5 APO08.04, APO12.06, DSS02.05 AWS Managed Services critical information on unauthorized intrusion attempts, usage abuse,
appropriate parties · ISA 62443-2-1:2009 4.3.4.5.9 and network and application bandwidth usage. Monitoring devices are
· ISA 62443-3-3:2013 SR 6.1 placed within the AWS environment to detect and monitor for:
· ISO/IEC 27001:2013 A.16.1.2, A.16.1.3 • Port scanning attacks
· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, • Usage (CPU, Processes, disk utilization, swap rates, and errors in
RA-5, SI-4 software generated loss)
Security teams.
CA-2 The AWS Compliance Assessment Team (CAT) maintains a

documented audit schedule of internal and external assessments to
ensure implementation and operating effectiveness of the AWS control
environment to meet business, regulatory, and contractual objectives.
The needs and expectations of internal and external parties are

RA-5 AWS Security notifies and coordinates with the appropriate service
teams when conducting security-related activities within the system
boundary. Activities include vulnerability scanning, contingency
testing, and incident response exercises. AWS performs external
vulnerability assessments at least quarterly, and identified issues are

Security teams.
DE.DP-5: Detection processes are · COBIT 5 APO11.06, APO12.06, DSS04.05 AWS Artifact, AWS Best Practices, AWS Reference, CA-2 The AWS Compliance Assessment Team (CAT) maintains a
continuously improved · ISA 62443-2-1:2009 4.4.3.4 AWS Managed Services documented audit schedule of internal and external assessments to
· ISO/IEC 27001:2013 A.16.1.6 ensure implementation and operating effectiveness of the AWS control
· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, environment to meet business, regulatory, and contractual objectives.
RA-5, SI-4, PM-14 The needs and expectations of internal and external parties are
RA-5, SI-4, PM-14

PL-2 Customer environments are logically segregated to prevent users and

customers from accessing resources not assigned to them. Customers
maintain full control over who has access to their data. Services which
provide virtualized operational environments to customers (i.e., EC2)
ensure that customers are segregated from one another and prevent
cross-tenant privilege escalation and information disclosure via
hypervisors and instance isolation.
AWS Security Assurance is responsible for familiarizing employees

with the AWS security policies. AWS has established information
security functions that are aligned with defined structure, reporting
lines, and responsibilities. Leadership involvement provides clear
direction and visible support for security initiatives
PM-14 N/A
RA-5 AWS Security notifies and coordinates with the appropriate service
teams when conducting security-related activities within the system
boundary. Activities include vulnerability scanning, contingency
testing, and incident response exercises. AWS performs external
vulnerability assessments at least quarterly, and identified issues are

Security teams.
AWS customers are responsible for configuring their systems and all interconnected
systems to enforce their approved information flow policies. This can be accomplished
through configuration of Amazon Virtual Private Cloud (Amazon VPC) network
Access Control Lists (ACL) for controlling inbound/outbound traffic at the subnet level
and Amazon VPC security groups for controlling traffic at the instance level.
More information on configuring Amazon VPC is available at

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html.
AWS customers are responsible for documenting, authorizing, reviewing, and updating
Interconnection Security Agreements (ISAs) for connections between their system and
other systems that include the following information for each connection: 1) Interface
characteristics, 2) Security requirements, and 3) The nature of the information
communicated. AWS customers are responsible for reviewing and updating ISAs with
at a frequency defined by their security assessment and authorization policy.
AWS customers are responsible for developing, documenting, and maintaining under
configuration control a current baseline configuration of their systems.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for reviewing and analyzing audit records at an
organization-defined frequency for indications of organization-defined inappropriate or
unusual activity and reporting these findings to organization-defined personnel or roles
in accordance with their audit and accountability policy.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for implementing an incident handling capability for
security incidents that includes preparation, detection and analysis, containment,
eradication, and recovery in accordance with their incident response policy. In
addition, AWS customers are responsible for coordinating incident handling activities
with contingency planning activities; incorporating lessons learned from ongoing
incident handling activities into incident response procedures, training, and
testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for tracking and documenting information system
security incidents.
AWS customers are responsible for developing an Incident Response Plan (IRP) that:
1) Provides their organization with a roadmap for implementing its incident response
capability, 2) Describes the structure and organization of the incident response
capability, 3) Provides a high-level approach for how the incident response capability
fits into the overall organization, 4) Meets the unique requirements of the organization,
which relate to mission, size, structure, and functions, 5) Defines reportable incidents,
6) Provides metrics for measuring the incident response capability within the
organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved
by organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization
defined incident response personnel (identified by name and/or role) and organizational
elements. The IRP must be review and updated at a frequency defined by the incident
response policy to address system/organizational changes or problems encountered
during plan implementation, execution, or testing. Changes to the IRP must be
communicated to organization-defined incident response personnel (identified by name
and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure
and modification.
AWS customers are responsible for developing a contingency plan for their system
that: 1) Identifies essential missions and business functions and associated contingency
requirements, 2) Provides recovery objectives, restoration priorities, and metrics, 3)
Addresses contingency roles, responsibilities, and assigned individuals with contact
information, 4) Addresses maintaining essential missions and business functions
despite an information system disruption, compromise, or failure, 5) Addresses
eventual, full information system restoration without deterioration of the security
safeguards originally planned and implemented, and 6) Is reviewed and approved by
organization-defined personnel or roles in accordance with the contingency planning
policy.
AWS customers are responsible for distributing copies of the contingency plan to
organization-defined key contingency personnel (identified by name and/or by role)
and organizational elements. Contingency planning activities must be coordinated with
incident handling activities. The contingency plan must be reviewed at a frequency
defined in the contingency planning policy and updated to address changes to their
organization, system, or environment of operation and problems encountered during
implementation, execution, or testing.
AWS customers are responsible for communicating contingency plan changes to

organization-defined personnel and for protecting the contingency plan from
unauthorized disclosure and modification.
AWS customers are responsible for: 1) Conducting an assessment of risk to include the
likelihood and magnitude of harm from the unauthorized access, use, disclosure,
disruption, modification, or destruction of their information system and the information
it processes, stores, or transmits, 2) Documenting risk assessment results in the system
plan, security assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4) Disseminating risk
assessment results to organization-defined personnel or roles, and 5) Updating the risk
assessment at an organization-defined frequency or whenever there are significant
changes to the information system or environment of operation (including the
identification of new threats and vulnerabilities) or other conditions that may impact
the security state of the system.
AWS customers are responsible for tracking and documenting information system
security incidents.
AWS customers are responsible for developing an Incident Response Plan (IRP) that:
1) Provides their organization with a roadmap for implementing its incident response
capability, 2) Describes the structure and organization of the incident response
capability, 3) Provides a high-level approach for how the incident response capability
fits into the overall organization, 4) Meets the unique requirements of the organization,
which relate to mission, size, structure, and functions, 5) Defines reportable incidents,
6) Provides metrics for measuring the incident response capability within the
organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved
by organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization
defined incident response personnel (identified by name and/or role) and organizational
elements. The IRP must be review and updated at a frequency defined by the incident
response policy to address system/organizational changes or problems encountered
during plan implementation, execution, or testing. Changes to the IRP must be
communicated to organization-defined incident response personnel (identified by name
and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure
and modification.
AWS customers are responsible for managing accounts associated with their
applications hosted on AWS. AWS customers are responsible for properly using AWS
Identity and Access Management (IAM) to create and manage user accounts and to
enforce access within their Amazon Elastic Compute Cloud (Amazon EC2) instances
and all applications they install.
AWS customers in the context of managing their user accounts are responsible for: 1)
Identifying and selecting system accounts; 2) Assigning account managers for system
accounts; 3) Specifying authorized users, group and role membership, access
authorizations, and other attributes as required for each account; 4) Requiring
approvals from customer-defined personnel or roles for account creation requests; 5)
Monitoring account usage; 6) Notifying account managers when: a) Accounts are no
longer required, b) Users are terminated or transferred, and c) Individual system usage
or need-to-know changes; 7) Authorizing access based on: a) A valid access
authorization, b) Intended system usage, and c) Other attributes as required by their
organization or associated mission/business functions; 8) Reviewing accounts for
compliance with account management requirements at a frequency defined by their
organization; and 9) Establishing a process for reissuing shared/group account
credentials when individuals are removed from the group.
More information on implementing these functions using IAM is available at

http://docs.aws.amazon.com/IAM/latest/User Guide/best-practices.html.
AWS customers are responsible for configuring their systems to: 1) Provide audit
record generation capabilities for the auditable events defined in AU-2a for all system
components where audit capabilities are deployed/required based on the audit and
accountability policy, 2) Allow organization-defined personnel or roles to select which
auditable events are to be audited by specific components, and 3) Generate audit
records for the events defined in AU-2d with the content defined in AU-3.
AWS customers are responsible for implementing a configuration change control

process in accordance with their configuration management policy that includes the
following elements: 1) Determination of the types of changes to the information system
that are configuration-controlled, 2) Review of all proposed configuration-controlled
changes to the information system and approval or disapproval of such changes with
explicit consideration for security impact analyses, 3) Documentation of configuration
change decisions associated with the information system, 4) Implementation of
approved configuration-controlled changes to the information system, 5) Retention of
records of configuration-controlled changes to the information system for an
organization-defined time period.
AWS customers are responsible for configuring their systems to protect against or limit
the effects of organization-defined types of denial of service attacks by employing
organization-defined security safeguards.
More information on best practices for resiliency against denial of service attacks is
available at https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf.
AWS customers are responsible for: 1) Monitoring and controlling communications at

the external boundary of the system and at key internal boundaries within the system,
2) Implementing subnetworks for publicly accessible system components that are
physically or logically separated from internal organizational networks, and 3)
Connecting to external networks or information systems only through managed
interfaces consisting of boundary protection devices arranged in accordance with
organizational security architecture.
More information on securing an Amazon VPC is available at

http://docs.aws.amazon.com/Amazon VPC/latest/User Guide/VPC_Security.html.
N/A
N/A
N/A
AWS customers are responsible for managing accounts associated with their
applications hosted on AWS. AWS customers are responsible for properly using AWS
Identity and Access Management (IAM) to create and manage user accounts and to
enforce access within their Amazon Elastic Compute Cloud (Amazon EC2) instances
and all applications they install.
AWS customers in the context of managing their user accounts are responsible for: 1)
Identifying and selecting system accounts; 2) Assigning account managers for system
accounts; 3) Specifying authorized users, group and role membership, access
authorizations, and other attributes as required for each account; 4) Requiring
approvals from customer-defined personnel or roles for account creation requests; 5)
Monitoring account usage; 6) Notifying account managers when: a) Accounts are no
longer required, b) Users are terminated or transferred, and c) Individual system usage
or need-to-know changes; 7) Authorizing access based on: a) A valid access
authorization, b) Intended system usage, and c) Other attributes as required by their
organization or associated mission/business functions; 8) Reviewing accounts for
compliance with account management requirements at a frequency defined by their
organization; and 9) Establishing a process for reissuing shared/group account
credentials when individuals are removed from the group.
More information on implementing these functions using IAM is available at

http://docs.aws.amazon.com/IAM/latest/User Guide/best-practices.html.
N/A
AWS customers are responsible for: 1) Using software and associated documentation
in accordance with contract agreements and copyright laws, 2) Tracking the use of
software and associated documentation protected by quantity licenses to control
copying and distribution, and 3) Controlling and documenting the use of peer-to-peer
file sharing technology to ensure that this capability is not used for the unauthorized
distribution, display, performance, or reproduction of copyrighted work.
AWS customers are responsible for establishing, enforcing, and monitoring software
installation policies that govern the installation of software by users based on
organization-defined methods and frequency for monitoring.
AWS customers are responsible for: 1) Implementing malicious code protection

mechanisms at information system entry and exit points to detect and eradicate
malicious code; 2) Updating malicious code protection mechanisms whenever new
releases are available in accordance with organizational configuration management
policy and procedures; 3) Configuring malicious code protection mechanisms to: a)
Perform periodic scans of the information system at an organization-defined frequency
and real-time scans of files from external sources at endpoints and/or network
entry/exit points as the files are downloaded, opened, or executed in accordance with
organizational security policy and b) Either block malicious code, quarantine malicious
code, send an alert to an administrator, and/or take other organization-defined actions
in response to malicious code detection; and 4) Addressing the receipt of false positives
during malicious code detection and eradication and the resulting potential impact on
the availability of the information system.
AWS customers are responsible for employing spam protection mechanisms at

information system entry and exit points to detect and take actions on unsolicited
messages. Spam protection mechanisms must be updated when new releases are
available in accordance with the organizational configuration management policy and
procedures.
AWS customers are responsible for defining acceptable and unacceptable mobile code,
establishing usage restrictions and implementation guidance for acceptable mobile
code, and authorizing, monitoring, and controlling the use of mobile code within their
systems.
N/A
AWS customers are responsible for: 1) Establishing personnel security requirements
including security roles and responsibilities for third-party providers, 2) Requiring
third-party providers to comply with personnel security policies and procedures
established by their organization, 3) Documenting personnel security requirements, 4)
Requiring third-party providers to notify organization-defined personnel or roles of any
personnel transfers or terminations of third-party personnel who possess organizational
credentials and/or badges or who have information system privileges within an
organization-defined time period, and 5) Monitoring provider compliance.
AWS customers are responsible for including the following requirements, descriptions,
and criteria explicitly or by reference in the acquisition contract for the information
system, system component, or information system service in accordance with
applicable federal laws, Executive Orders, directives, policies, regulations, standards,
guidelines, and organizational mission/business needs: 1) Security functional
requirements, 2) Security strength requirements, 3) Security assurance requirements, 4)
Security-related documentation requirements, 5) Requirements for protecting security-
related documentation, 6) Description of the information system development
environment and environment in which the system is intended to operate, and 7)
Acceptance criteria.
AWS customers are responsible for: 1) Requiring that providers of external

information system services comply with organizational information security
requirements and employ organization-defined security controls in accordance with
applicable federal laws, Executive Orders, directives, policies, regulations, standards,
and guidance, 2) Defining and documenting government oversight and user roles and
responsibilities with regard to external information system services, and 3) Employing
organization-defined processes, methods, and techniques to monitor security control
compliance by external service providers on an ongoing basis.
AWS customers are responsible for implementing a configuration change control

process in accordance with their configuration management policy that includes the
following elements: 1) Determination of the types of changes to the information system
that are configuration-controlled, 2) Review of all proposed configuration-controlled
changes to the information system and approval or disapproval of such changes with
explicit consideration for security impact analyses, 3) Documentation of configuration
change decisions associated with the information system, 4) Implementation of
approved configuration-controlled changes to the information system, 5) Retention of
records of configuration-controlled changes to the information system for an
organization-defined time period.
AWS customers are responsible for developing, documenting, reviewing, and updating
at an organization-defined frequency an inventory of system components for their
systems. AWS customers are responsible verifying that the inventory: 1) Accurately
reflects the current system, 2) Includes all components within the authorization
boundary, 3) Is at the level of granularity deemed necessary for tracking and reporting,
and 4) Includes the information prescribed by the configuration management policy
that is deemed necessary to achieve effective information system component
accountability.
N/A
N/A
N/A
AWS customers are responsible for: 1) Scanning for vulnerabilities in their information
system and hosted applications at an organization-defined frequency and/or randomly
in accordance with their organization-defined process and when new vulnerabilities
potentially affecting the system/applications are identified and reported; 2) Employing
vulnerability scanning tools and techniques that promote interoperability among tools
and automated parts of the vulnerability management process by using standards for: a)
Enumerating platforms, software flaws, and improper configurations, b) Formatting
and making transparent checklists and test procedures, and c) Measuring vulnerability
impact; 3) Analyzing vulnerability scan reports and results from security control
assessments; 4) Remediating legitimate vulnerabilities within organization-defined
response times in accordance with an organizational assessment of risk; and 5) Sharing
information obtained from the vulnerability scanning process and security control
assessments with organization-defined personnel or roles to help eliminate similar
vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Prior to conducting penetration testing or vulnerability scanning activities, AWS

customers are required to request authorization through the following URL:
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS
Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): AWS Customers
are responsible for meeting scanning requirements on their databases in accordance
with organization-defined frequency and/or when new vulnerabilities have been
identified. Also, AWS Customers are required to remediate legitimate findings within
the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service.
AWS Customers offload database management tasks such as hardware or software
provisioning, setup and configuration, software patching, operating a reliable,
distributed database cluster, or partitioning data over multiple instances as you scale.
AWS customers are responsible for conducting security assessments for their systems.
Within this context and in accordance with their security assessment and authorization
policy, AWS customers are responsible for: 1) Developing a security assessment plan
that describes the security controls and control enhancements under assessment,
assessment procedures used to determine effectiveness, the assessment environment,
the assessment team, and the assessment roles and responsibilities, 2) Assessing
security controls in their system and its environment of operation at an organization-
defined frequency to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting established security requirements, 3) Producing a security assessment report
that documents the results of the assessment, and 4) Providing the results of the
security control assessment to their organization-defined individuals or roles.
N/A
N/A
N/A
N/A
N/A
N/A
AWS customers are responsible for: 1) Implementing malicious code protection
mechanisms at information system entry and exit points to detect and eradicate
malicious code; 2) Updating malicious code protection mechanisms whenever new
releases are available in accordance with organizational configuration management
policy and procedures; 3) Configuring malicious code protection mechanisms to: a)
Perform periodic scans of the information system at an organization-defined frequency
and real-time scans of files from external sources at endpoints and/or network
entry/exit points as the files are downloaded, opened, or executed in accordance with
organizational security policy and b) Either block malicious code, quarantine malicious
code, send an alert to an administrator, and/or take other organization-defined actions
in response to malicious code detection; and 4) Addressing the receipt of false positives
during malicious code detection and eradication and the resulting potential impact on
the availability of the information system.

AWS customers are responsible for developing a security plan for their systems that: 1)
Is consistent with the organization’s enterprise architecture, 2) Explicitly defines the
authorization boundary for the system, 3) Describes the operational context of the
information system in terms of missions and business processes, 4) Provides the
security categorization of the information system including supporting rationale, 5)
Describes the operational environment for the information system and relationships
with or connections to other information, 6) Provides an overview of the security
requirements for the system, 7) Identifies any relevant overlays, if applicable, 8)
Describes the security controls in place or planned for meeting those requirements, to
include a rationale for the tailoring decisions, and 9) Is reviewed and approved by the
authorizing official or designated representative prior to plan implementation.
In addition, AWS customers are responsible for distributing copies of the security plan
to organization-defined personnel or roles, reviewing the security plan at organization-
defined frequencies, and updating the security plan to address changes to the
information system/environment of operation or problems identified during plan
implementation or security control assessments. AWS customers are responsible for
protecting their security plan from unauthorized disclosure or modification.
N/A

Note:
Response Planning (RS.RP): RS.RP-1: Response plan is · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-10 The AWS business continuity plan details the three-phased approach that AWS has
Response processes and executed during or after an · COBIT 5 APO12.06, BAI01.10 Architectures, CloudFormation, AWS Lambda, developed to recover and reconstitute the AWS infrastructure:
procedures are executed and event · ISA 62443-2-1:2009 4.3.4.5.1 Amazon SNS, Amazon SES, AWS Cloudwatch, AWS • Activation and Notification Phase
maintained, to ensure timely · ISO/IEC 27001:2013 A.16.1.5 CloudTrail, VPC Flowlogs, AWS Config, AWS • Recovery Phase
response to detected · NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8 Organizations, AWS Firewall Manager, AWS • Reconstitution Phase
cybersecurity events. PrivateLink, AWS Systems Manager, AWS OpsWorks, This approach ensures that AWS performs system recovery and reconstitution
Amazon Macie, AWS Managed Services, AWS IoT efforts in a methodical sequence, maximizing the effectiveness of the recovery and
Defender reconstitution efforts and minimizing system outage time due to errors and
omissions.
CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
IR-4 procedures
AWS to respond
will notify to a serious
customers outagebreach
of a security or degradation of AWS
in accordance withservices,
the terms
includinginthe
outlined therecovery model and with
service agreement its implications
AWS. AWS’s on the business continuity plan.
IR-8 AWS has implemented a formal, documented incidentcommitment to alland
response policy AWS
customersThe
program. is aspolicy
follows:
addresses purpose, scope, roles, responsibilities, and
Communications (RS.CO): RS.CO-1: Personnel know · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The
If AWS
AWS Business
becomes Continuity
aware policy lays
of any unlawful orout the guidelines
unauthorized used
access to to
anyimplement
customer
Response activities are their roles and order of · COBIT 5 EDM03.02, APO01.02, APO12.03 Architectures, AWS IAM, AWS Config, ConfigRules, management
procedures commitment.
tofollowing
respond
Refer(i.e.,
data
AWS
to the
uses any
a personalto
three-phased
AWSa serious
data that is outage
Audit
approach
Reportsorfor
uploaded
to manage
degradation
to aadditional of
customer’s
incidents:
AWS
details:
AWSPCIservices,
3.2, ISO
account) on
coordinated with internal and operations when a response is · ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 Cloud Watch, CloudTrail, CloudFormation, Lambda, including
27001, ISO
AWS’s the27017,
equipmentrecovery inmodel
NIST
or andfacilities
800-53,
AWS’s its implications
SOC 2 COMMON
and thisforon the business
CRITERIA
unlawful continuityaccess
or unauthorized plan.
external stakeholders, as needed · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.1 Amazon SNS, Amazon SES. 1. Activation and Notification Phase – Incidents AWS begin with the detection
results
of in loss,
an event. Eventsdisclosure, originate or alteration
from several of customer
sources such data,as: AWS will promptly notify
appropriate, to include external · NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
support from law enforcement •the
Refer
customer
Metricsto the
and
andfollowing
alarms take–reasonable
AWS Audit
AWS maintains steps to
Reports anreduce
exceptional the effects
for additional
of thisawareness
situational
details: PCI
security
3.2, ISO
incident.
capability;
agencies. 27001,defines,
AWS ISOmost 27017, issues
administers,NIST are800-53,
rapidlySOC
and
detected
monitors
from 24x7x365
2 COMMON CRITERIA monitoring and
alarming of real time metrics and service securitydashboards. for the Theunderlying
majority of cloud
incidents are
infrastructure
detected in this(i.e., manner. the hardware,
AWS uses theearlyfacilities
indicator housing alarms theto hardware,
proactively andidentify
the
network
issues that infrastructure).
may ultimately impact customers.
•Because TroubleAWS tickets manages
enteredthe by infrastructure
an AWS employee. and the security controls that apply to it,
•AWS Callscan: to the 24x7x365 technical support hotline.
• Identify
If the event potential
meets incident incidents affecting
criteria, thethe infrastructure.
relevant on-call support engineer uses
• Determine
AWS’s eventifmanagement
any access totool customersystemdata resulted
to start from an incident.
an engagement and page relevant
• Determine
program if access
resolvers (e.g., was AWS actually unlawful
Security). Theorresolvers
unauthorized (it would
will perform anbe analysis of
unauthorized
the incident toifdetermine it was in breach if additional of AWS' Security
resolvers Policies).
should be engaged and to determine
If anapproximate
the incident happens root cause. within AWS’s sphere of knowledge and control and this
incident
2. Recovery results Phase in loss,– The disclosure,
relevant resolvers or alteration willof customer
perform breakcontent,
fix to AWS address willthe
promptly After
incident. notifyaddressingthe customer. AWS does this
troubleshooting, break regardless
fix and of whether
affected the customer's
components, the
content
call leader is sensitive
will assign or not,
follow-upbecause AWS does not
documentation and know what the
follow-up customer
actions and end content
the
is and
call protects all customer content in the same robust way.
engagement.
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
CP-3 the post
AWS testsmortemthe business will be continuity
reviewed by plan relevant
and itssenior associated managementprocedures andatactions
least and
IR-3 captured
annually
AWS hasto inimplemented
a Correction
ensure aof
effectiveness Errorsof
formal, (COE)
the plan
documented document
and andresponse
tracked to
the organizational
incident completion.
readiness
policy and to
To ensure
execute
program. the the
The plan. effectiveness
policy Testing addresses of the
consists AWS
of
purpose, incidentroles,
engagement
scope, response thatplan,
drillsresponsibilities,
execute AWS conducts
onandactivities
IR-8 AWS
incident
that hasresponse
would implemented
becommitment.
performedtesting. a informal,
Thisan actual documented
testing provides
outage. incident
AWS excellent response
documents coverage thepolicy
for theanddiscovery
results, including
management
program. The unknownpolicy addresses purpose, scope, roles, responsibilities, and
RS.CO-2: Events are reported · CIS CSC 19 AU-6 of previously
AWS
lessons
AWS deploys
useslearned monitoring
and any
a three-phased defects
devices
corrective
approach andthroughout
failure
actions
to manage modes.
that the
were environment
Incompleted.
incidents: addition, it
toallows
collect the
critical
AWS
consistent with established · COBIT 5 DSS01.03 management
Security
information andon commitment.
serviceunauthorizedteams tointrusion test the–systems
attempts, forusagepotentialabuse, customer
andwith network
impact andand
1.
AWS Activation
uses and
abandwidth
three-phased Notification approachPhase Incidents
to manage for AWS begin the detection
criteria · ISA 62443-2-1:2009 4.3.4.5.5 further
application
of prepare
an event. Events stafforiginate
to usage.
handle Monitoring
incidents
from several such
devicesasincidents:
sources detection
are
such placed
as:and within
analysis, the AWS
· ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 1.
containment, Activation and Notification Phase – Incidents for AWS begin with the detection
•environment
of Metrics
an event.
to
eradication,
andEvents detect–and
alarms AWS
originate
and
monitorrecovery,
maintains
from
for: an
several
andexceptional
post-incident
sources such
activities.
situational
as: awareness
· NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8 •The Portincident
scanning attacks
response test
are plan is executed annually, in conjunction withand the
•capability;
•incident Metrics
Usage (CPU, andmost alarms issues – AWS rapidly
maintains detected an from 24x7x365
exceptional monitoring
situational awareness
alarming
capability; realProcesses,
response
ofmost plan.
time
issues
Thedisk
metrics test
are rapidly and utilization,
planserviceincludes
detected
swap
dashboards. rates, The
multiple
from 24x7x365
and errors
scenarios,
majority
monitoring
inpotential
software
of incidents
and
vectors are
of attack,inand
generated
detected loss)the inclusion of the systems integrator in reporting and coordination
alarming
•(when Application ofthis
real
applicable),
manner.
time
performance as metrics
AWS
well impact
as and
metrics
usesservice
varying
early indicator
dashboards.
reporting/detection
alarms to
Theavenues proactively
majority identify
of incidents
(i.e. customer are
issues
detected that in may ultimately
this connection
manner. AWS usescustomers.
early indicator alarms to proactively identify
••reporting/detecting,
issues
Unauthorized
Trouble that tickets
may entered
ultimately
AWS byreporting/detecting).
attempts
an AWS
impact employee.
customers.
AWS Callsprovides
incident management
near real-time planning,
alerts when testing,
the AWS and test monitoring
results aretools reviewed
show by third-
••indications
party Trouble to the
tickets 24x7x365 enteredtechnical byoranpotential
AWS support employee.hotline.
•If the auditors.
Calls event of compromise
to themeets 24x7x365 incident criteria,support
technical
compromise,
the relevant hotline. on-call basedsupportuponengineer
threshold alarming
uses
mechanisms
AWS’s event determined
management by tool
AWS service
system to and
startSecurity
an engagementteams. and page relevant
If
External the event accessmeets to incident
data criteria, the relevant on-call support logsengineer usesfor at
program
AWS’s resolvers
event management (e.g.,storedAWS tool
in Amazon
Security).
system to
S3 isresolvers
The
start
logged.
an engagement
The perform
will and
are an retained
page analysis
relevantof
leastincident
the 90 daystoand include if
determine relevant
additional access requestshould
resolvers information be engaged such as and thetodata
determine
program
accessor resolvers
IP address, (e.g., AWS Security). The resolvers will perform an analysis of
the
the approximate
incident rootobject,cause. and operation.
AllRecovery
2. requests to to
Phase
determine
KMS – The
if additionalavailable
are logged
relevantand
resolversinshould
resolvers will the AWS
perform
be engaged
account’s
break
and to determine
fix to AWS address the
the
CloudTrail approximate bucket root cause.
in Amazon S3. The logged requests provide information about
incident.
2. Recovery After Phase addressing
– The troubleshooting,
relevant resolvers break
will fix and
perform affected
break fixcomponents,
address thethe
toinformation
who
call leaderAfter made the request
will assign follow-up and under which CMK
documentation and and will also
follow-up describe
actions and end the
incident.
about the AWSaddressing resource that troubleshooting,
was protected break through fixtheanduse affected
of the components,
CMK. These the log
call leader
call engagement. will assign
events
3. Reconstitution are visible to thefollow-up
customerdocumentation
after turning on and AWS follow-up
CloudTrail actions and end the
in their
call
account. engagement. Phase – The call leader will declare the recovery phase complete
after
3. the relevant fix
Reconstitution Phase activities
– The call haveleader been addressed.
will declareThe thepost mortem
recovery phase andcomplete
deep root
causethe
after analysis
relevant of the incident will
fix activities havebebeen assignedaddressed. to the The relevant post team.
mortem The and results
deep of root
the post
cause mortem
analysis ofwill be reviewed
the incident will by be relevant
assignedsenior to the management
relevant team.and The actions
resultsand of
IR-6 captured
the
AWS post in a Correction
mortem
employees will
are trained of Errors
be reviewed on how (COE)
by relevant
to document
recognize senior and tracked
management
suspected security toand completion.
actions and
incidents
To ensure
captured
where to in the
report effectiveness
a Correction
them. When of of
Errors the AWS
appropriate,(COE)incident document
incidents response
andreported
are plan, to
tracked AWS
to conducts
completion.
relevant
IR-8 AWS
incident has implemented
response a
testing. This formal, documented
testing provides incident
excellent response
coverage policy and
for conducts
the at discovery
To
authorities.
program. ensure the
The AWS effectiveness
policy maintains
addresses of
thethe AWS AWS
purpose, incident
Security
scope, response
Bulletin
roles, plan, AWS
webpage,
responsibilities, locatedand
RS.CO-3: Information is · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CA-2 Thepreviously
of
incident AWS Compliance
response unknown
https://aws.amazon.com/security/security-bulletins, testing. Assessment
defects
This testing Team
and failure (CAT)
provides modes. maintains
Intoaddition,
excellent a customers
documented
coverage
notify it allows
for the the audit
AWS
ofdiscovery
security
shared consistent with response · COBIT 5 DSS03.04 Architectures, AWS IAM, AWS Cloudwatch, AWS management
Security
schedule and commitment.
of internal
service and
teams external
toAWStest assessments
the systems to
forensure
potential implementation
customer impact
andAWS and
of
and
AWS previously
privacy unknown
a events affectingdefects and failure
Cloud modes.
services. In addition,
Customers it allows
can subscribe the to the
plans · ISA 62443-2-1:2009 4.3.4.5.2 CloudTrail, VPC Flowlogs, AWS Config, AWS furtheruses
operating
Security
security prepare
and
bulletin
three-phased
effectiveness
servicestaff
RSS to
teams of approach
handle
feed the AWS
incidents
to keep
to test the
to
abreast
manage
control such
systems
incidents:
ofenvironment
asfor detection
security potential to
and meetanalysis,
customer
announcements business,
impact
on the and
AWS
· ISO/IEC 27001:2013 A.16.1.2, Clause 7.4, Clause Organizations, AWS Firewall Manager, AWS Systems 1.
containment,
regulatory, Activation and and
eradication,Notification
contractual and Phase
objectives.
recovery, – Incidents
and for
post-incident AWS begin
activities. with the detection
further
Security
of an prepare
event.BulletinEvents staff to handle
webpage.
originate The incidents
from customer
several such
supportas detection
sources team
such and
maintains
as: analysis,
a Service Health
16.1.2 Manager, AWS OpsWorks, Amazon Macie, AWS The
containment, incident
needs and response
expectations
eradication, testand planofatrecovery,
internal
is executed and annually,
external
andexceptional
post-incident parties
in conjunction
are considered
activities. with the
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, Managed Services, AWS IoT Defender, AWS •Dashboard
incident
throughout Metricsresponseand webpage,
the alarms
development,
plan. –located
AWS
The test
http://status.aws.amazon.com/,
maintains
implementation,
plan an
includes multiple
and situational
auditingscenarios,
of the
to alert
awareness
potential
AWS
customers
control
vectors
to
The broadly
any
capability; incident response
impacting
most issues test
are plan
availability
rapidly is executed
issues. annually,
detected from to: in conjunction
24x7x365 monitoring withand the
PE-6, RA-5, SI-4 CloudFormation, AWS Lambda, Amazon SNS, of
environment.
incident
In attack,
the event and
response Parties
the
of antime inclusion
plan. include,
incident, TheAWS of
testbut
the are
plansystems
requiresnot
includeslimited
integrator
that multiple
AWS Securityin reporting
scenarios, and/or and coordination
potential vectors
Amazon SES, Amazon Athena, Amazon GuardDuty, alarming
(when
 of real metrics and service dashboards. The majority ofaffected
incidents are
of AWS
service
detected attack,applicable),
customers,
inand
team the
conduct
this manner.
asincluding
inclusionawell
post
AWS
as
of varying
customers
the
usessystems
mortem toreporting/detection
early
with a contractual
integrator
determine
indicator the in avenues
interest
reporting
cause
alarms
(i.e.
and
toofproactively
incident, and customer
potential
coordination
as well as to
identify
Amazon S3, AWS WAF, Amazon Machine Learning, reporting/detecting,
customers.
(when that
document applicable),
lessons AWS
as well impact
learned. reporting/detecting).
as varying reporting/detection avenues (i.e. customer
Amazon Inspector, Amazon SageMaker, Amazon issues
AWS
 External
incident may
parties ultimately
managementtoAWS AWS, planning,
including customers.
testing,
regulatory andbodiestest resultssuch are as the reviewed
externalby third-
Pinpoint •reporting/detecting,
auditors
party Trouble tickets
and
auditors. certifying entered byreporting/detecting).
agents. an AWS employee.
•AWS
 Calls incident
Internal to the parties
management
24x7x365 such as technicalplanning,
AWS services support testing,
hotline.
and
and test results are reviewed by third-
infrastructure teams, security, legal,
party
If auditors.
theoverarching
event meetsadministrative incident criteria,
and and the relevant
corporate on-call support engineer uses
teams.
CA-7 the incident
AWS conducts to determine
monthly monitoring if additional ofresolvers
its security shouldposture be engaged
through aand to determine
continuous risk
CP-2 the approximate
assessment
The AWS Business rootContinuity
and monitoring cause. process. policy Additionally,
lays out the annual guidelines security
used assessments
to implementare
2. Recoveryby
conducted
procedures toPhase
an
respond – The
accredited to arelevant
Third-Party
serious resolvers orwill
outageAssessment perform
degradation break
Organization
of AWS fixservices,
to address
(3PAO) to the
IR-4 AWS
incident. will notify
After customers
addressing of a security
troubleshooting, breach
break infix accordance withcomponents,
the terms the
validate
including
outlined
that
in thethe
implemented
recovery
service model security
agreement and with controls
its implications
AWS.
continue
AWS’s on and
to
the affected
bebusiness
commitment
effective. Security
continuity
to all AWS plan.
IR-8 AWS
call leader
assessments has implemented
will
thatassign include a aformal,
follow-uprisk analysis documented
documentation and a Plan incident
andoffollow-upresponse
Action and policy
actions
Milestonesand end the
and
customers
program. isare
The aspolicy
follows:
PE-6 call engagement.
(POA&M)
Physical
If access alladdresses
submitted
toaware AWS to data purpose,
authorizing
centers officialsscope,
housing roles, responsibilities,
for infrastructure
IT review and approval. and
tocomponents is
3. AWS
management
restricted
becomes
Reconstitution commitment.
to following
authorized Phase data –ofThe anycall
center
unlawful
leader
employees,
or unauthorized
will declare theandaccess
recovery any
phase customer
complete
RA-5 Refer
AWS
data
after (i.e.,
AWS
to the
Security
uses
the anya27017,
relevant
notifies AWS
personal
three-phasedfixNIST
and Audit
coordinates
dataapproach
activities that have
Reports
is uploaded
to
been
withfor
manage to
addressed. avendors,
additional
theincidents:
appropriate
customer’s
The
contractors
details:
service
postAWS mortem
PCI 3.2,
teams
account)
and
whoISO
when
on root
deep
require
27001,
conducting
AWS’s access
ISO
equipment in order
security-related or in toAWS’s
execute
800-53,
activities their
SOC
facilities jobs.
2
within COMMON
and Access
thethis system to facilities
CRITERIA
unlawful boundary.
or is only permitted
Activities
unauthorized access at
SI-4 AWS
1.
cause
controlled deploys
Activation
analysis access andmonitoring
of the Notification
points incident
thatdevices Phase
will
require throughout
–assigned
Incidents
bemulti-factor the
to for environment
the AWS
relevant
authentication begin todesigned
team. collect
with The critical
theresults
detection of
to prevent
include
results
information vulnerability
in loss, disclosure,
ontounauthorized scanning, or contingency
alteration
intrusion of testing,
customer
attempts, usage and
data, incident
AWS
abuse, andwill response
promptly
network notify
RS.CO-4: Coordination with · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 of
thean
The
tailgating
exercises.
the
post
AWSevent.
customer
mortem
and
AWS
Events
Business willoriginate
ensure be that
Continuity
performs
reviewed from
only
external
by
policy several
relevant
authorizedlays
vulnerability
sources
out senior
the
individuals such
guidelines
assessments
as:
management
enterof used
atan AWS
least
and dataand
actions
to quarterly,
implement and
center.
and
stakeholders occurs consistent · COBIT 5 DSS03.04 Architectures, AWS Config, Cloud Watch, CloudTrail, application
•captured
procedures
On Metrics
a quarterly and
in a and
bandwidth
to alarms
Correction
respond
basis,
take–reasonable
usage.
AWS
to
access of maintains
Errors
a serious
lists
steps
Monitoring
and(COE)
outage
to reduce
devices
andocument
orexceptional
authorization degradation
the
are effects
andplaced
situational
credentialstracked this
within security
the AWS
awareness
oftopersonnel
of Additionally,
AWS completion.
services, with
identified
incident.
environment
capability; issues
most to are
detect
issues investigated
and monitor
are rapidly and for: tracked
detected to resolution. AWS
with response plans · ISA 62443-2-1:2009 4.3.4.5.5 CloudFormation, Amazon Pinpoint, AWS Lambda, To ensure
including
access
performs to AWS the
the
unannounced
effectiveness
recovery
data model
centers of
are
penetration
the
and AWS
its
reviewed byfrom
incident
implications
tests by
24x7x365
response
on the
the respective
engaging
monitoring
plan,
business
independentdata AWS and Access
conducts
continuity
center Area plan.
· ISO/IEC 27001:2013 Clause 7.4 Amazon SNS, Amazon SES •AWS
alarming
incident
Managers Port defines,
scanning
of real
response
(AAM).
administers,
attacks
time
testing.metrics and
This and monitors
service
testing security
dashboards.
provides for the
excellent majoritythird
Theunderlying
coverage cloud
of
for
parties
incidents
the
toare
discovery
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 •probe
infrastructure
ofUsage
detected
All
the(CPU,
previously
entrances indefenses
this (i.e.,
to Processes,
manner.
unknownAWSalso
and device
the hardware,
dataAWS disk
defects
configuration
uses
centers, and theearly
utilization, facilities
failure
including swap settings
indicator
modes. housing
therates,
within
alarms
In
main
theto
and
addition,
entrance,
the
hardware,
errors system.
proactively
it the
allows andthe
in software
loading
theAWS
identify
AWS
network
generated
issues Security
that teams
infrastructure).
loss)
may ultimately subscribe
impact to newsfeeds
customers. for applicable vendor flawsdock,and
Security
Refer
and anyto and
the
roof service
following
doors/hatches, teamsAWS toaretest
Audit the
secured systems
Reports with for for potential
additional
intrusion customer
details:
detection PCInew
devices impact
3.2,that
ISO and
sound
proactively
•Because Application
Trouble AWS monitor
tickets manages
performance
enteredvendors’ the
by websites
infrastructure
metrics
an AWS and
employee. other
and the relevant
security outlets
controls for that patches.
apply to it,
further if
27001, prepare
ISO the27017, staff to
isNIST handle800-53, incidents
orSOC such as detection and analysis,
alarms
•AWS customers
Callscan:
Unauthorized
tosecurity
door
the 24x7x365 also
connection
forced
have open
the ability
attempts
technical
held
support to2report
COMMON
open.
hotline. issues to CRITERIA
AWS via the AWS
containment,
Trained eradication,
guards are and recovery,
stationed attheand
the post-incident
building entrance activities.
24/7. If a door or cage
Vulnerability
•The
AWS
If Identify
provides
theincident
event Reporting
potential incidents
nearincidentreal-timewebsite affecting
alerts at http://aws.amazon.com/security/vulnerability-
when infrastructure.
the AWS monitoring tools show
within
•reporting/. Determinea datameets response
ifcenter
any has
access
test criteria,
plan
a malfunctioning
to customer
the
is executed relevant
data
annually,
card
resulted
on-call
reader fromorsupport
in PIN
an padengineer
conjunction
incident. andwith cannotuses
the be
indications
AWS’s
incident electronically,
secured event of compromise
management
response plan. aThe or
tool potential
test plan
security system
guard compromise,
to
includes start
is posted an
multiple based
engagement
at the scenarios, upon
door until and threshold
page
potential alarming
relevant
vectors
it canbebe repaired.
•of
mechanisms
program Determine andif
attack,resolvers access
determined
the (e.g.,
inclusion was byactually
AWS AWS
of unlawful
service
Security).
the systems and
The orresolvers
integratorunauthorized
Security in teams.
will (it would
perform
reporting andancoordination
analysis of
unauthorized
External
the
(when incident access
applicable),toifdetermine
ittowas data
as wellinstored
breach inof
ifasadditional
varying AWS'
Amazon Security
S3 is logged.
resolvers
reporting/detection Policies).
should The
be logs are
engaged
avenues retained
and
(i.e. for at
to determine
customer
If
least
the anapproximate
reporting/detecting,incident
90 days and happens include
root AWS within
cause. relevantAWS’s access
reporting/detecting). sphere requestof knowledge
information andsuch controlas the and datathis
incident
accessor
2.
AWS Recovery results
IP address,
incident Phase in loss,
management– object,
The disclosure,
and
relevant
planning, or alteration
operation.
resolverstesting, will and of customer
perform
test break
results content,
are to AWS
fixreviewedaddress will
bythethird-
promptly
All
incident.
party requests notify
After
auditors. to KMS the customer.
addressing are logged AWS does this
and available
troubleshooting, break regardless
in the and of
fix AWS whether
account’s
affected the
AWS
components,customer's the
content
CloudTrail
bucket
will assign inorAmazon
not,
follow-upbecause AWS
S3.documentation
The loggeddoes requests
notand know what the
provide
follow-up customer
information
aboutthe
is and
who
call protects
made
engagement. all customer
the request and under content which in the CMK same and robust way.describe information
will also
about
3. Reconstitution the AWS resource Phase –that Thewas callprotected
leader will through
declarethe theuse of the CMK.
recovery These log
phase complete
events
after the arerelevant
visible fix to the customer
activities have after
been turning
addressed. on AWS TheCloudTrail
post mortem in and
theirdeep root
account.
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
incident response testing. This testing provides excellent coverage for the discovery
IR-4 AWS
of previously will notify unknown customers defects of aand security
failurebreach modes. in In accordance
addition, with it allows the terms
the AWS
IR-8 outlined
Security
AWS hasin and the
implemented service
service teamsagreement with
to test documented
a formal, AWS. AWS’s
the systems for
incident commitment
potential responsecustomer to impact
policy alland
AWS and
customers
further prepare
The follows:
staff to handle incidents
addresses purpose, such
scope, asroles,
detection and analysis,and
responsibilities,
RS.CO-5: Voluntary · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference PM-15 AWS
If AWS Security
becomes teams aware alsoofand subscribe
anyrecovery,
unlawful to newsfeeds
or unauthorized for applicableaccess vendor
to flaws and
any customer
containment,
management eradication,
commitment. and post-incident activities.
information sharing occurs with · COBIT 5 BAI08.04 Architectures, proactively
data (i.e., monitor vendors’ websites and other relevant outlets
AWSfor new the patches.
external stakeholders to achieve · ISO/IEC 27001:2013 A.6.1.4
The incident
AWS usesany personal
response
a three-phased dataapproach
test that
plan isisexecuted
uploaded
to manage to incidents:
a customer’s
annually, in conjunction account)
with on
AWS’s
incident
1. Activationequipment
response or inThe
plan.
and Notification AWS’s testPhasefacilities
plan –includes and this
Incidents multiple
for unlawful
AWS or unauthorized
scenarios,
begin potential
with access
vectors
the detection
broader cybersecurity · NIST SP 800-53 Rev. 4 SI-5, PM-15 SI-5 results
AWS
of an in loss,
Security
attack, andEvents disclosure,
notifies
the inclusion andorcoordinates
ofalteration
the systems of
withcustomer data,
the appropriate
integrator AWS
in reporting will
service and promptly
teams when
coordination notify
situational awareness of event. originate from several sources such as:
Analysis (RS.AN): Analysis is RS.AN-1: Notifications from · CIS CSC 4, 6, 8, 19 AWS Artifact, AWS Best Practices, AWS Reference AU-6 •the
conducting
(when
AWS customer
Metricsdeploys and and
alarms take
security-related
applicable), monitoring as–wellreasonable
AWS asactivities
varying
maintains
devices steps to
anreduce
within the
reporting/detection
throughout exceptional the
thesystem effects
environment of to
boundary.
avenues
situational thiscollect
security
Activities
(i.e. customer
awareness critical
conducted to ensure adequate detection systems are · COBIT 5 DSS02.04, DSS02.07 Architectures, AWS Config, AWS Cloudwatch, AWS incident.
include
reporting/detecting,
capability;
information vulnerability
most issues
on unauthorized scanning,
AWS rapidly contingency
are reporting/detecting).
intrusion detected attempts, testing,
from andabuse,
24x7x365
usage incident andresponse
monitoring network andand
response and support recovery investigated · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 Lambda, AWS Step Functions, AWS OpsWorks, AWS AWS defines,
exercises.
alarming
application incidentofAWSreal administers,
bandwidth performs
management
time metrics
usage. and
external
and monitors
planning, vulnerability
service
Monitoring security
testing, and
dashboards.
devices for
testthe
assessments
are The
placed underlying
results atare
majority
withinleast cloud
ofquarterly,
reviewed
the AWS and
by third-
incidents are
activities. · ISA 62443-3-3:2013 SR 6.1 Managed Services, AWS CloudFormation infrastructure
identified
party auditors.
detected
environment inissues
thisto(i.e., arethe
manner.
detect hardware,
investigated
and AWS monitor uses the
and facilities
tracked
early
for: tohousing
indicator resolution.
alarms theto hardware,
Additionally,
the
AWS
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5 network
•performs
issues that
Port scanninginfrastructure).
unannounced
may attacksultimately penetration
impact customers. tests by engaging independent third parties to
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, Because
•probe Trouble
Usage AWS
the(CPU,
defenses
tickets manages and device
entered
Processes, the
by infrastructure
diskanconfiguration
AWS employee.
utilization, and
swap the
settings security
rates, within controls
and errors in that
the system. apply to it,
software
SI-4 AWS
• CallsSecurity
generated can:
to theloss) teams also
24x7x365 subscribe
technical to newsfeeds
support hotline. for applicable vendor flaws and
• Application
If Identify
•proactivelythe event potential
monitor
meets
performance incidents
vendors’
incident affecting
websites
criteria,
metrics thethe and infrastructure.
otheron-call
relevant relevant outletsengineer
support for new uses patches.
• Unauthorized
•AWS
AWS’s Determine eventifmanagement
customers any alsoaccess
connection havetothe customer
tool
attempts systemtodata
ability resulted
report
to start issues from
an engagementto AWS an incident.
via
andthe page AWS relevant
• Determine
Vulnerability
program
AWS ifReporting
resolvers
provides access
near(e.g., was
real-timeAWS actually
website at unlawful
Security).
alerts whenThe theorresolvers
AWSunauthorized
http://aws.amazon.com/security/vulnerability- (it would
will perform
monitoring toolsan be
showanalysis of
unauthorized
reporting/.
the
indications incidentof toifcompromise
it was in breach
determine if or of AWS'
additional
potential Security
resolvers
compromise, Policies).
should basedbe engaged
upon threshold and to determine
alarming
If anapproximate
the
mechanisms incidentdeterminedhappens root cause. within
by AWS AWS’s service sphere andofSecurity
knowledge teams. and control and this
incident
2.
External Recovery results
access Phase in
to loss,
– The
data disclosure,
relevant
stored in Amazon or alteration
resolvers S3will of customer
perform
is logged. Thebreakcontent,
logs fix AWS
aretoretained
address willthe at
for
promptly
incident.
least 90 days notify
After and the
addressing customer.
include AWS
troubleshooting,
relevant does request
access this
break regardless
fix and of
information whether
affected asthe
suchcomponents, thecustomer's
data the
content
call
accessor leader isIPsensitive
will
address, assign orobject,
not,
follow-upbecause AWS does not
documentation
and operation. and know what the
follow-up customer
the
is and
call
All protects
engagement.
requests to all KMS customer
are logged content and in the sameinrobust
available the AWS way.account’s AWS
3. Reconstitution
CloudTrail bucketPhase in Amazon – The call S3. The leader loggedwill declare
requeststhe recovery
provide phase complete
information about
after made
who the relevantthe request fix activities
and under have which beenCMK addressed.and will The also post morteminformation
describe and deep root
cause the
about analysisAWSofresource the incident that was will protected
be assigned to thethe
through relevant
use ofteam. the CMK. The results
These of log
the postare
events mortem
visiblewill to the be customer
reviewed after by relevantturningsenior on AWS management
CloudTrailand in actions
their and
account.
of previously unknown defects and failure modes. In addition, it allows the AWS
CA-7 AWS
Security conducts
and service monthly teams monitoring
to test theofsystems its security posture through
for potential customer a continuous
impact and risk
IR-4 assessment
furtherwill
AWS prepare and staff
notify monitoring to handle
customers process.
of incidents
a security Additionally,
such
breach in annual
as detectionaccordance security withassessments
and analysis, the terms are
conducted
containment, by an accredited
theeradication, and Third-Party Assessment Organization (3PAO) to
IR-5 outlined
AWS
validate will innotify
that
service
implementedcustomers agreement of recovery,
security
with AWS.
a security
controls
and
breachpost-incident
AWS’s
continue in accordance
to be
activities.
commitment withtothe
effective.
allterms
AWS
Security
The incident
customers
outlined in istheresponse
as follows:
service test plan is with
agreement executed AWS. annually, in conjunctiontowith the
PE-6 Physical
assessments
incident
If AWS becomes access
responsethat toinclude
all AWS
plan.
aware Thea risk
of data
any centers
testanalysis
plan
unlawful includes a AWS’s
housing
and Plan
multiple
or unauthorized
commitment
ITofinfrastructure
Action
scenarios,
access andtoMilestones all AWS
components
potential
any customer is
vectors
customers
restricted
(POA&M) toisareassubmitted
follows:
authorized datato center
authorizing employees, officials vendors,
for review and contractors
and approval. who
SI-4 AWS
of
data
If AWS deploys
attack, and
(i.e.,becomes
any personalmonitoring
the inclusion
awareto data devices
of the
thatunlawful
ofexecute
any throughout
systems
is uploaded the
integrator environment
to a customer’s
or unauthorized in reporting
accessAWS to collect
and critical
coordination
account)
to only
any customer on
require
information access inunauthorized
onpersonal order intrusion theirreporting/detection
jobs.
attempts, Access to abuse,
facilities is permitted
accessat
RS.AN-2: The impact of the · COBIT 5 DSS02.02 AWS Artifact, AWS Best Practices, AWS Reference CP-2 (when
AWS’s
The
data
controlled AWS applicable),
(i.e.,equipment
Business
any
access
asContinuity
or
points
well
in AWS’s
data
that
asthat
varying
facilities
policy
require is uploaded lays and
multi-factor outtothisa usage
the unlawful
guidelines
customer’s
authentication
avenues
or and
used
AWS network
(i.e.
unauthorized customer
to implement
account)
designed to
and
on
prevent
incident is understood · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 Architectures, AWS CloudFormation, AWS application
results inequipment
procedures
AWS’s loss,bandwidth
disclosure,
to respond AWS usage.
or intothat AWS’s Monitoring
reporting/detecting).
aor alteration
serious outage devices
of and
customer
or individuals
degradation are placed
data, AWS of or within
AWS the
willservices, AWS
promptlyaccess notify
tailgating
environment and to ensure onlyfacilities
authorized this unlawful enter unauthorized
an AWS databy center.
· ISO/IEC 27001:2013 A.16.1.4, A.16.1.6 Cloudwatch, CloudTrail, VPC Flowlogs, AWS Config, AWS
the customer
including
results
On
incident the to
in loss,
a quarterly
and detect
recovery take and
management
disclosure,
basis, model
access
monitor
reasonable
or planning,
andand
alteration
lists
for:
steps
its testing,
to customer
reduce
implications
of
authorization
andthe test
on the
data, results
effects
credentials
ofare
business
AWS this
will
of
reviewed
security
continuity
promptly
personnel
third-
plan.
notify
with
· NIST SP 800-53 Rev. 4 CP-2, IR-4 AWS Organizations, AWS Firewall Manager, AWS •incident.
party
the Port scanning
auditors.
customer and attacks
take reasonable steps to by reduce the effectsdata of this security
access
•AWS Usage to(CPU,
defines,AWS data
Processes,
administers, centers diskareutilization,
and reviewed
monitors swap the rates,
security respective
for the errorscenter
andunderlying in softwareArea Access
cloud
Systems Manager, AWS OpsWorks, Amazon Macie, incident.
Managers (AAM).
AWS Managed Services, AWS IoT Defender, Amazon generated
infrastructure
Refer
AWS defines, loss)
to the following (i.e., the
administers, hardware,
AWScenters,
andAudit the facilities
Reports
monitors forthe
security housing
additional
for the the hardware,
details:the
underlying and
PCIcloud the
3.2, ISO
GuardDuty, Amazon Machine Learning, Amazon •All entrances
Application
network
27001,
to AWS data
performance
infrastructure). metricsthe including main entrance, loading dock,
anyISO
infrastructure
•and Unauthorized
Because roof 27017,
(i.e., the
AWSdoors/hatches,
connection
manages
NIST 800-53,
hardware, are secured
theattempts
SOC
infrastructure
2with
COMMON
facilities housingCRITERIA
andintrusion
the security
the hardware,
detection
controls devices andthat
that apply
the sound
to it,
SageMaker, AWS WAF, AWS Shield network
alarms ifinfrastructure).
the door is real-time
forced open or held
AWS
Because provides
can: AWS manages near alerts
the stationed
infrastructure whenopen. the AWS monitoring toolsthat show
Trained
indications
•AWS Identify security
of
potential guards
compromise incidents are or potential
affecting atthetheand
compromise,
the security
building
infrastructure. entrance
based
controls
upon24/7. threshold
applyortocage
If a door alarming
it,
within can:
a dataif center has aby malfunctioning card reader orteams.
PIN pad and cannot be
•mechanisms
Determine
• Identifyelectronically,determined
any
potential incidents access to AWS
customer
affecting service data
the and Security
resulted
infrastructure. from an incident.
secured
•External access to data astored
security guard
in Amazon is posted at the door until it can bebe repaired.
• Determine
Determine if
if access
any access was actually
to customer dataS3
unlawful oris unauthorized
resulted logged. fromThe an logs
(it would
incident. are retained for at
least 90
unauthorized days and
if it include
was in relevant
breach of
• Determine if access was actually unlawful or unauthorized (it would beaccess
AWS' request
Security information
Policies). such as the data
accessor
If an incident
unauthorized IP address, it wasobject,
ifhappens within
in breachand AWS’soperation.
of AWS' sphere of knowledge
Security Policies).and control and this
All
If anrequests
incident results
incident tohappens
KMS
in loss, are logged
disclosure,
within AWS’sandoravailable
sphere ofinknowledge
alteration ofthe AWS account’s
customer content,
and control AWSand willthis
CloudTrail
promptly
incident results bucket
notify in incustomer.
theloss, Amazon
disclosure, S3. The
AWS ordoes logged requests
this regardless
alteration of customer provide
of whether information
content, the
AWS about
customer's
will
who
contentmade
promptly the request
is notify
sensitive the or and under
not,
customer. becauseAWS whichAWS
does CMK this and
does not willknow
regardless also of describe
what the customer
whether information
the content
customer's
about
is and the
content is AWS
protectssensitive resource
all or not,that
customer was protected
content
because in thedoes
AWS through
same notrobust theway.
know use
what of the
the customer
CMK. These contentlog
RS.AN-2: The impact of the · COBIT 5 DSS02.02 AWS Artifact, AWS Best Practices, AWS Reference
incident is understood · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 Architectures, AWS CloudFormation, AWS IR-4 AWS will notify customers of a security breach in accordance with the terms
· ISO/IEC 27001:2013 A.16.1.4, A.16.1.6 Cloudwatch, CloudTrail, VPC Flowlogs, AWS Config, outlined in the service agreement with AWS. AWS’s commitment to all AWS
· NIST SP 800-53 Rev. 4 CP-2, IR-4 AWS Organizations, AWS Firewall Manager, AWS customers is as follows:
Systems Manager, AWS OpsWorks, Amazon Macie, If AWS becomes aware of any unlawful or unauthorized access to any customer
AWS Managed Services, AWS IoT Defender, Amazon data (i.e., any personal data that is uploaded to a customer’s AWS account) on
GuardDuty, Amazon Machine Learning, Amazon AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized access
SageMaker, AWS WAF, AWS Shield results in loss, disclosure, or alteration of customer data, AWS will promptly notify
the customer and take reasonable steps to reduce the effects of this security
incident.
AWS defines, administers, and monitors security for the underlying cloud
infrastructure (i.e., the hardware, the facilities housing the hardware, and the
network infrastructure).
Because AWS manages the infrastructure and the security controls that apply to it,
AWS can:
• Determine if access was actually unlawful or unauthorized (it would be
unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the customer's
content is sensitive or not, because AWS does not know what the customer content
is and protects all customer content in the same robust way.
RS.AN-3: Forensics are · COBIT 5 APO12.06, DSS03.02, DSS05.07 AWS Artifact, AWS Best Practices, AWS Reference AU-7 AWS deploys monitoring devices throughout the environment to collect critical
performed · ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, Architectures, AWS IAM, AWS CloudFormation, IR-4 information
AWS will notify on unauthorized
customers ofintrusion
a securityattempts,
breach in usage abuse, and
accordance withnetwork and
the terms
SR 2.12, SR 3.9, SR 6.1 AWS Cloudwatch, CloudTrail, VPC Flowlogs, application
outlined in the bandwidth usage. Monitoring
service agreement with AWS. devices
AWS’sare commitment
placed withintothe allAWS
AWS
· ISO/IEC 27001:2013 A.16.1.7 Amazon Macie, AWS Managed Services, AWS environment
customers is as to follows:
detect and monitor for:
· NIST SP 800-53 Rev. 4 AU-7, IR-4 Lambda, VPC, AWS IoT Defender, Amazon •IfPort scanning attacks
AWS becomes aware of any unlawful or unauthorized access to any customer
GuardDuty, Amazon Machine Learning, Amazon •data Usage
(i.e.,(CPU, Processes,
any personal datadisk
thatutilization,
is uploaded swap
to arates, and errors
customer’s AWSinaccount)
softwareon
SageMaker, AWS WAF, AWS KMS, AWS generated
AWS’s equipment loss) or in AWS’s facilities and this unlawful or unauthorized access
CloudHSM, Amazon WorkSpaces •results
Application
in loss,performance
disclosure, ormetrics
alteration of customer data, AWS will promptly notify
•the Unauthorized connection attempts
customer and take reasonable steps to reduce the effects of this security
AWS provides near real-time alerts when the AWS monitoring tools show
incident.
indications
AWS of compromise
defines, administers, or andpotential
monitorscompromise,
security for based upon threshold
the underlying cloud alarming
mechanisms determined
infrastructure by AWSthe
(i.e., the hardware, service and Security
facilities housing theteams.
hardware, and the
External infrastructure).
network access to data stored in Amazon S3 is logged. The logs are retained for at
least 90 days
Because AWSand includethe
manages relevant access request
infrastructure and theinformation such as
security controls theapply
that data to it,
accessor
AWS can:IP address, object, and operation.
•All requests
Identify to KMSincidents
potential are logged and available
affecting in the AWS account’s AWS
the infrastructure.
•CloudTrail
Determinebucket
if any in Amazon
access S3. The data
to customer logged requests
resulted fromprovide information about
an incident.
•who made the
Determine if request
access was and actually
under which CMKorand
unlawful will also describe
unauthorized (it would information
be
about the AWS
unauthorized if itresource that wasofprotected
was in breach throughPolicies).
AWS' Security the use of the CMK. These log
events
If are visible
an incident happensto thewithin
customer
AWS’saftersphere
turningof on AWS CloudTrail
knowledge and controlin their
and this
account. results in loss, disclosure, or alteration of customer content, AWS will
incident
RS.AN-4: Incidents are · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
categorized consistent with · COBIT 5 DSS02.02 Architectures, AWS Cloudwatch, Amazon Macie, IR-4 procedures
AWS will notifyto respond to a serious
customers outagebreach
of a security or degradation
in accordanceof AWS withservices,
the terms
response plans · ISA 62443-2-1:2009 4.3.4.5.6 AWS Managed Services, AWS Lambda, AWS IoT includinginthe
outlined therecovery
service model and with
agreement its implications
AWS. AWS’s on the business continuity
commitment plan.
· ISO/IEC 27001:2013 A.16.1.4 Defender, Amazon GuardDuty, Amazon Machine IR-5 AWS will notify customers of a security breach in accordance withtotheallterms
AWS
customers
outlined istheasservice
inimplemented follows:agreement with AWS. AWS’s commitment to all AWS
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8 Learning, Amazon SageMaker, AWS WAF IR-8 AWS
If AWS hasbecomes aware aofformal,
any documented
unlawful or incident response
unauthorized access policy
to any and
customer
customers
program.
Refer to the isfollowing
The aspolicy
follows: addresses
AWS purpose,
Audit Reportsscope,
for roles,
additionalresponsibilities,
details: PCI and
3.2, ISO
data
If (i.e.,
AWSISO any
becomes personal
aware data that
of800-53, is
any unlawfuluploaded to a customer’s AWS account) on
management
27001,
AWS’s equipment commitment.
27017, orNIST
indata
AWS’s SOC 2or unauthorized
COMMON access to any customer
CRITERIA
data (i.e.,
AWS uses any personal
a three-phased that facilities
approach is uploaded andtothis
to manage
unlawful
a customer’s
incidents:
or unauthorized
AWS account) on access
results
AWS’s inequipment
loss, disclosure,
or in AWS’s or alteration
facilities of and
customer data, AWS
this unlawful will promptlyaccess
or unauthorized notify
1.
the Activation
customer and take
and Notification
reasonable Phase – Incidents
steps reduce for
to customer AWS
thedata,
effectsbegin with the detection
of this
results
of in loss,
an event. disclosure,
Events originate or alteration
from several of sources such AWS
as: will security
promptly notify
incident.
•the
AWS
customer
Metrics and and
defines, alarmstake–reasonable
administers, AWS and
steps to
maintains
monitors
reduce
ansecurity the effects
exceptional
for
of thisawareness
situational
the underlying
security
cloud
incident. most issues are rapidly detected from 24x7x365 monitoring and
capability;
infrastructure
AWS defines, (i.e., the hardware,
administers, and the facilities
monitors housing the hardware,cloud and the
alarming
network of real time metrics
infrastructure). and service security
dashboards. for theTheunderlying
majority of incidents are
infrastructure
detected in this(i.e., the hardware,
manner. AWS uses theearly
facilities housing
indicator alarmsthetohardware,
the
Because
network AWS manages
infrastructure). the infrastructure and the security controls that apply to it,
issues can:
AWS that may ultimately impact customers.
•• Identify
AWS
Trouble tickets
potential entered
incidentsby an AWS employee.
affecting the infrastructure.
Callscan:
• Determine to theif24x7x365 technical support hotline.
••IfIdentify potential
the event meets
any access
incidents
incident
to customer
affecting
criteria,unlawful
data
the resulted from an incident.
infrastructure.
the relevant on-call support
••AWS’s
Determine
Determine if any
access was to actually or unauthorized (it engineer
would beuses
eventififmanagement access customer
tool system data resulted
to Security
start from an incident.
an engagement
Policies). (itand page relevant
•unauthorized
Determine
program resolvers
it was was
if access in breach
(e.g.,within
AWSactually of unlawful
AWS'
Security). Theor unauthorized
resolvers will and would
perform anbeanalysis
If an incident
unauthorized happens AWS’s sphere of knowledge control and this of
the incident
incident results toifdetermine
it was in
in loss,within
breach
disclosure,
of AWS'
if additional Security
resolvers
or alteration of
Policies).
should
customerbe engaged
content, andAWSto determine
will
If an incident
the approximate happens cause. AWS does this regardless of whether theand
rootcustomer. AWS’s sphere of knowledge and control this
promptly
incident notify in
results theloss, disclosure, or alteration of customer content, customer's
2. Recovery
content is notifyPhase –orThe
sensitive not,relevant
because resolvers
AWS willnot
does perform
know whatbreakthe to AWS
fixcustomer
address will
the
content
promptly
incident. After all the customer.
addressing AWS
troubleshooting,does this regardless
breakrobust
fix and of whether the customer's
affected components, the
is and protects
content is sensitive customer
or not, contentAWS
because in thedoes
same not know way.
what the customer content
is and
engagement.
Security and service teams to test the systems for potential customer impact and
further prepare staff to handle incidents such as detection and analysis,
RS.AN-5: Processes are · CIS CSC 4, 19 AWS Artifact, AWS Best Practices, AWS Reference SI-5 AWS Security notifies and coordinates with the appropriate service teams when
established to receive, analyze · COBIT 5 EDM03.02, DSS05.07 Architectures, Amazon S3, AWS Managed Services, PM-15 conducting
AWS Security security-related
teams also subscribe activitiestowithin the system
newsfeeds boundary.
for applicable Activities
vendor flaws and
and respond to vulnerabilities · NIST SP 800-53 Rev. 4 SI-5, PM-15 AWS Lambda, AWS IoT Defender, Amazon include vulnerability
proactively monitor vendors’scanning,websites
contingency testing,
and other and incident
relevant response
outlets for new patches.
disclosed to the organization GuardDuty, Amazon Macie, AWS OpsWorks, AWS exercises. AWS performs external vulnerability assessments at least quarterly, and
from internal and external CloudFormation, Amazon Inspector, Amazon Machine identified issues are investigated and tracked to resolution. Additionally, AWS
Mitigation (RS.MI): Activities RS.MI-1: Incidents
sources (e.g. internalare
testing, · CIS CSC 19 AWS
Learning, Amazon SageMaker, AWS WAF, Amazon IR-4
Artifact, AWS Best Practices, AWS Reference AWS will notify customers of a security breach in
performs unannounced penetration tests by engaging independent third parties to accordance with the terms
are performed to prevent contained
security bulletins, or security · COBIT 5 APO12.06 Architectures,
SNS, Amazon CloudFormation, AWS Lambda,
SES, Amazon WorkMail outlined
probe theindefenses
the service andagreement with AWS.settings
device configuration AWS’swithin commitment to all AWS
the system.
expansion of an event, mitigate researchers) · ISA 62443-2-1:2009 4.3.4.5.6 Amazon SNS, Amazon SES, AWS Cloudwatch, AWS customers
AWS Security is asteamsfollows: also subscribe to newsfeeds for applicable vendor flaws and
its effects, and eradicate the · ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 CloudTrail, Amazon VPC, Security Groups, NACLS, If AWS becomes
proactively monitor aware of anywebsites
vendors’ unlawfuland or other
unauthorized
relevant access
outletstoforanynewcustomer
patches.
incident. · ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 AWS Config, AWS Organizations, AWS Firewall data
AWS customers also have the ability to report issues to AWS via the AWS on
(i.e., any personal data that is uploaded to a customer’s AWS account)
· NIST SP 800-53 Rev. 4 IR-4 Manager, AWS PrivateLink, AWS Systems Manager, AWS’s equipment
Vulnerability or in AWS’s
Reporting website facilities and this unlawful or unauthorized access
at http://aws.amazon.com/security/vulnerability-
AWS OpsWorks, Amazon Macie, AWS Managed results in
reporting/. loss, disclosure, or alteration of customer data, AWS will promptly notify
Services, AWS IoT Defender the customer and take reasonable steps to reduce the effects of this security
incident.
AWS can:
RS.MI-2: Incidents are · CIS CSC 4, 19 AWS Artifact, AWS Best Practices, AWS Reference IR-4 AWS will notify customers of a security breach in accordance with the terms
mitigated · COBIT 5 APO12.06 Architectures, AWS CloudFormation, AWS Lambda, outlined in the service agreement with AWS. AWS’s commitment to all AWS
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 AWS Cloudwatch, AWS CloudTrail, AWS Config, customers is as follows:
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 AWS Systems Manager, AWS OpsWorks, Amazon If AWS becomes aware of any unlawful or unauthorized access to any customer
· NIST SP 800-53 Rev. 4 IR-4 Macie, AWS Managed Services, AWS IoT Defender data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized access
results in loss, disclosure, or alteration of customer data, AWS will promptly notify
the customer and take reasonable steps to reduce the effects of this security
incident.
AWS can:
RS.MI-3: Newly identified · CIS CSC 4 AWS Artifact, AWS Best Practices, AWS Reference CA-7 AWS conducts monthly monitoring of its security posture through a continuous risk
vulnerabilities are mitigated or · COBIT 5 APO12.06 Architectures, AWS Managed Services, AWS Lambda, assessment and monitoring process. Additionally, annual security assessments are
documented as accepted risks · ISO/IEC 27001:2013 A.12.6.1 AWS IoT Defender, Amazon GuardDuty, Amazon conducted by an accredited Third-Party Assessment Organization (3PAO) to
· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5 Macie, Amazon Inspector, Amazon Machine Learning, validate that implemented security controls continue to be effective. Security
Amazon SageMaker, AWS WAF assessments that include a risk analysis and a Plan of Action and Milestones
(POA&M) are submitted to authorizing officials for review and approval.
RA-3 AWS performs a continuous risk assessment process to identify, evaluate and
RA-5 mitigate
AWS risks across
Security theand
notifies company. The with
coordinates processtheinvolves developing
appropriate and when
service teams
implementing
conducting risk treatmentactivities
security-related plans to mitigate
within the risks as necessary.
system boundary.The AWS risk
Activities
management
include team monitors
vulnerability andcontingency
scanning, escalates risks on a and
testing, continuous
incidentbasis, performing
response
risk assessments
exercises. on newlyexternal
AWS performs implemented controlsassessments
vulnerability at least every
at six months.
least quarterly, and
identified issues are investigated and tracked to resolution. Additionally, AWS
performs unannounced penetration tests by engaging independent third parties to
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and
proactively monitor vendors’ websites and other relevant outlets for new patches.
reporting/.
Improvements (RS.IM): RS.IM-1: Response plans · COBIT 5 BAI01.13 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
Organizational response incorporate lessons learned · ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 Architectures procedures to respond to a serious outage or degradation of AWS services,
activities are improved by · ISO/IEC 27001:2013 A.16.1.6, Clause 10 including the recovery model and its implications on the business continuity plan.
incorporating lessons learned · NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
from current and previous
detection/response activities. Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO
27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA
IR-4 AWS will notify customers of a security breach in accordance with the terms
IR-8 outlined
AWS hasinimplemented
the service agreement with AWS. AWS’s
a formal, documented incidentcommitment to alland
response policy AWS
customersThe
follows:
addresses purpose, scope, roles, responsibilities, and
RS.IM-2: Response strategies · COBIT 5 BAI01.13, DSS04.08 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The
If AWS
AWS Business
becomes Continuity
aware policy lays
of any unlawful orout the guidelines
unauthorized used
access to to
anyimplement
customer
are updated · ISO/IEC 27001:2013 A.16.1.6, Clause 10 Architectures management
procedures tocommitment.
respond
data (i.e.,
AWS uses any
a personalto
three-phased
a serious
data that is outage
approach uploaded
to
or to
manage
degradation
a customer’s
incidents:
of AWS
AWSservices,
account) on
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 including
AWS’s the recovery
equipment or inmodel
AWS’s andfacilities
its implications on the business
and thisfor
unlawful continuityaccess
or unauthorized plan.
1. Activation and Notification Phase – Incidents AWS begin with the detection
results
of in loss,
an event. disclosure,
Events originateor alteration
from several of customer
sources such data,as:AWS will promptly notify
•the
Refer
customer
Metricsto the
and
andfollowing
alarmstake–reasonable
AWS Audit
AWS
steps to
maintainsReportsanreduce the effects
exceptional
for additional
of thisawareness
situational
details: PCI
security
3.2, ISO
incident.
capability;
27001,defines,
AWS ISOmost 27017, issues NIST
administers,
are800-53,
rapidlySOC
and
detected
monitors
from 24x7x365
2 COMMON CRITERIA monitoring and
alarming of real time metrics and service security
dashboards.for the
Theunderlying
majority of cloud
incidents are
infrastructure
detected in this(i.e.,
manner.the hardware,
AWS uses theearly
facilities housing
indicator alarmsthetohardware,
the
network
issues infrastructure).
that may ultimately impact customers.
•BecauseTroubleAWS tickets manages
enteredthe by infrastructure
•AWS Callscan:to the 24x7x365 technical support hotline.
• Identify
If the event potential incidents
meets incident affecting
• Determine
AWS’s eventifmanagement
any access totool customer
systemdata resulted
• Determine
program if access
resolvers was
(e.g., AWSactually unlawful
will perform anbeanalysis of
unauthorized
the incident toifdetermine
it was in breach of AWS'
If anapproximate
the incident happens within AWS’s sphere of knowledge and control and this
root cause.
incident
2. Recovery resultsPhasein loss,
– The disclosure, or alteration
relevant resolvers willof customer
perform content,
break fix to AWS
address will
the
promptly After
incident. notifyaddressing
the customer. AWS does this
troubleshooting, regardless
break fix and of whether
affected the customer's
components, the
content
call leaderis sensitive
will assign or not, because
follow-up AWS does not
documentation andknow what the
follow-up customer
actions and endcontent
the
is and
engagement.
IR-4 the post
AWS willmortem
notify will be reviewed
customers by relevant
of a security breach senior management
in accordance withandtheactions
terms and
IR-8 captured
outlined
AWS hasininimplemented
a Correction
the aof
service agreement Errorsdocumented
formal, (COE)
with AWS.document
AWS’s
incidentand tracked to
commitment
response completion.
to
policy alland
AWS
To ensureThe
customers
program. the effectiveness
is aspolicy
follows: addressesof the AWS scope,
purpose, incidentroles,
response plan, AWS and
responsibilities, conducts
incident
If response
AWS becomes
management testing.ofThis
aware
commitment. any testing
unlawful provides excellent coverage
or unauthorized for the
access to any discovery
customer
of previously
data
AWS (i.e.,
usesany unknown
personal data
a three-phased defectsthatand
approach failure
is uploaded
to manage modes. In addition,
to incidents:
a customer’s AWSit allows
account)the AWS
on
Security
AWS’s
1. Activationand service
equipment orteams to test
in AWS’s
and Notification the–systems
facilities
Phase forfor
and this
Incidents potential
unlawful
AWS begin customer
withimpact
or unauthorized and
access
the detection
further
results
of prepare
in
an event. loss, stafforiginate
Events to handle
disclosure, incidents
or alteration
from severalofsuch as detection
customer
sources data,as:
such and analysis,
AWS will promptly notify
containment,
•the customer
Metrics and anderadication,
alarms AWS andmaintains
take–reasonable recovery,
steps to and
an post-incident
reduce the effects
exceptional activities.
of thisawareness
situational security
The incident
incident.
capability; response
most issuestest are plan
rapidlyis executed
detected annually,
from 24x7x365in conjunction
monitoring withandthe
incident
AWS
alarming response
defines,
of real plan.
administers,
time Theand
metrics test
and plan
monitors includes
service multiple
security
dashboards.for the scenarios,
The underlying
majority potential
cloud
of vectors
incidents are
of attack,inand
infrastructure
detected the
this(i.e., inclusion
manner. AWS of the
the hardware, uses systems
the integrator
facilities
early housing
indicator inthe
alarms reporting and and
hardware,
to proactively coordination
the
identify
(when that
network
issues applicable),
infrastructure).
may ultimatelyas well impact
as varying reporting/detection avenues (i.e. customer
customers.
•Because
TroubleAWS tickets manages AWS
entered byreporting/detecting).
the infrastructure
AWS
• Callscan:incident management planning,
to the 24x7x365 technical support hotline. testing, and test results are reviewed by third-
party
If the auditors.
• Identify event potential incidents
meets incident affecting
•AWS’s
Determine eventifmanagement
any access totool customer
systemdata resulted
•program
Determine if access
resolvers was
(e.g., AWSactually unlawful
will perform anbeanalysis of
unauthorized
the incident toifdetermine
it was in breach of AWS'
If an incident happens
the approximate root cause. within AWS’s sphere of knowledge and control and this
incident
2. Recovery Phase – The relevant resolvers will perform break fix to AWS
results in loss, disclosure, or alteration of customer content, address will
the
promptly notify the customer. AWS does this regardless
incident. After addressing troubleshooting, break fix and affected components, of whether the customer's
the
content
will assign or not, because
follow-up AWS does not
documentation andknow what the
follow-up customer
actions and endcontent
the
is and protects
call engagement. all customer content in the same robust way.
Security and service teams to test the systems for potential customer impact and
further prepare staff to handle incidents such as detection and analysis,
incident response plan. The test plan includes multiple scenarios, potential vectors
of attack, and the inclusion of the systems integrator in reporting and coordination
(when applicable), as well as varying reporting/detection avenues (i.e. customer
reporting/detecting, AWS reporting/detecting).
AWS incident management planning, testing, and test results are reviewed by third-
party auditors.
AWS customers are responsible for providing for the recovery and reconstitution of the
information system to a known state after a disruption, compromise, or failure.
AWS customers are responsible for developing a contingency plan for their system that: 1)
Identifies
AWS essential
customers aremissions
responsibleand for
business functionsanand
implementing associated
incident handlingcontingency
capability requirements,
for security 2)
Provides recovery
incidents objectives,
that includes restoration
preparation, priorities, and metrics, 3) Addresses contingency roles,
AWS customers
responsibilities, are assigned
and responsible for detection
developing
individuals with
andananalysis,
contactIncident containment,
Response
information, Planeradication,
(IRP) that:
4)customers
Addresses
and recovery
maintaining
in
1) accordance
Provides with
their their incident
organization response policy. In addition, AWS are responsible for2)
AWS customers
essential missions
coordinating are
and
incident businesswith
responsible
handling foradeveloping
roadmap
functions
activities
for
despite
with
implementing
a an
contingency
information
contingency plan
planning
its incident
for
system their response
system
disruption,
activities;
capability,
that: 1)
compromise,
incorporating
Describes
Identifies
or failure, the structure
essential
5) Addresses and
missions organization
and
eventual, business of the incident
functions
full information response
and associated
system restorationcapability,
contingency
without 3) Provides a high-
requirements,
deterioration 2)
of the
lessons
level learned
approach from
for howongoing
the incident
incident handling
response activities
capability into
fits incident
into the response
overall procedures,
organization, 4) Meets
Providessafeguards
security
training, recovery
and objectives,
originally restoration
testing/exercises; planned
and andpriorities,
implemented,
implementing theand metrics, 3)reviewed
and 6)changes
resulting Is Addresses andcontingency
accordingly.approved by roles,
the unique requirements
responsibilities,
organization-defined of
and assigned the
personnel organization,
individuals
or roles inwith which relate
contact with
accordance to mission,
information, size, structure,
4) Addresses
the contingency planning and functions,
maintaining
policy.
5) Defines
essential reportable
missions andincidents, 6) Provides
business functions metrics
despite an for measuringsystem
information the incident response
disruption, capability
compromise,
within
or
AWS the 5)
failure, organization,
customers Addresses 7) Defines
eventual,
are responsible the
full
for resourcescopies
information
distributing and management
systemof restoration support
the contingency without needed
plan to effectively
deterioration of the
to organization-
maintain
security andcontingency
matureoriginally
safeguards
defined key an incident response
planned
personnel andcapability,
implemented,
(identified by name andand/or
8) Is6)reviewed
and byIsrole)
reviewed andorganizational
and approved
and approvedby by
elements. Contingency personnel
personnel or roles.
planningoractivities
roles in must
accordance with the contingency
be coordinated with incidentplanning
handlingpolicy.
activities.
The contingency plan must be reviewed at a frequency defined in the contingency planning policy
AWS
AWS customers
customers
and updated are responsible
are responsible
to address changes to for distributing
fortheir
distributing copies of
copiessystem,
organization, the IRP to
of the contingency organization
or environment defined
planoftooperation incident
organization-
and
response
defined
problemskeypersonnel (identified
contingency
encountered by name
personnel
during and/or by
(identified
implementation, role)
name andand/or
execution, organizational
by role) and
or testing. elements. The IRP must be
organizational
review
elements.andContingency
updated at aplanning
frequency defined must
activities by thebeincident response
coordinated withpolicy
incidentto handling
address activities.
The
AWScontingency
customers are changes
planresponsible
must orfor
problems
be reviewed at aencountered
frequency
communicating during in
defined
contingency plantheimplementation,
plan contingency execution,
planning
changes to organization- policyor
testing.
and
defined Changes
updated
personnel to the
to address
and forIRP must
changes be communicated
to their
protecting theorganization,
contingency planto organization-defined
system,fromorunauthorized incident
environment disclosure response
of operation andand
personnel
problems (identified byduring
encountered
modification. nameimplementation,
and/or role) and execution,
organizational elements.
or testing.
AWS customers
AWS customers are
are responsible
responsible for
for communicating
protecting the IRP from unauthorized
contingency disclosure
plan changes and
to organization-
modification.
defined personnel and for protecting the contingency plan from unauthorized disclosure and
modification.
AWS customers are responsible for providing contingency training to system users consistent with
assigned
AWS roles and
customers areresponsibilities.
responsible forTraining must
testing the be provided
incident response within an organization-defined
capability for their system at time
an
period of assuming the
organization-defined role, as required
frequency using by system changes,tests
organization-defined and at
to an organization-defined
determine the that:
incident response
AWS customers
frequency are responsible
thereafter. for developing an Incident Response Plan (IRP)
effectiveness
1) Provides andorganization
their documentingwith the results.
AWS customers are responsible forareviewing
roadmap forandimplementing
analyzing audit itsrecords
incidentatresponse capability, 2)
an organization-
Describes the structure and organization of the incident response capability, 3) Provides
defined frequency for indications of organization-defined inappropriate or unusual activity and a high-
level approach
reporting these for how the
findings incident response capability
to organization-defined fitsorinto
personnel theinoverall
roles organization,
accordance 4) audit
with their Meets
the
and unique requirements
accountability policy.of the organization, which relate to mission, size, structure, and functions,
5) Defines reportable incidents, 6) Provides metrics for measuring the incident response capability
within the organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved by
organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization defined incident
response personnel (identified by name and/or role) and organizational elements. The IRP must be
review and updated at a frequency defined by the incident response policy to address
system/organizational changes or problems encountered during plan implementation, execution, or
testing. Changes to the IRP must be communicated to organization-defined incident response
personnel (identified by name and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure and
modification.
AWS customers are responsible for requiring their personnel to report suspected security incidents
to the customers
AWS organizational incident response
are responsible capabilityanwithin
for developing Incident an Response
Plan (IRP) that: time period and
forProvides
1) reportingtheir incident information
organization with to organization-defined authorities.
AWS customers are responsible foraconducting
roadmap for implementing
security assessments its incident
for theirresponse
systems.capability,
Within this 2)
Describes andthe
contextcustomers instructure
accordance andwith organization
their of theassessment
security incident response and capability,policy,
authorization 3) Provides acustomers
high-
AWS
level approach for arehowresponsible
the incident for response
reporting incidents for
capability fits customer
into the overall virtualAWS
storage,organization, machines,4) Meetsand
are responsible
applications for: caused
unless 1) Developingby AWS a orsecurity assessment
an incident isrelate plan that
the result of AWSdescribesaction. theAWSsecurity controls
customers are
the
and unique requirements
control enhancements of the organization, which to mission, size, structure, and functions,
responsible
5) for providing
Defines reportable aunder
incidents,point6)assessment,
ofProvides
contact and assessment
metrics escalation procedures
plan to AWS
for measuring
usedintoorder
thethe incident
determineto facilitate
response
effectiveness,
ongoing incident the communications.
assessment environment, the assessment team, and assessment rolescapability
and
within the
responsibilities,organization,
2) Assessing 7) Defines
security thecontrols
resources in and
theirmanagement
system and its support needed to
environment of effectively
operation at
maintain
an and mature an incident
organization-defined frequency response
to determine capability,the extent and 8)toIswhichreviewedcontrols and approved by
AWS customers should
organization-defined work
personnel with
orand AWS
roles. to develop an agreed upon the reporting process are implemented
and method
correctly, operating as intended, producing the desired
to receive notification of security incidents involving the potential breach of customer data. outcome with respect to meeting
established security requirements, 3) Producing a security assessment report that documents the
AWS customers
results of thethe are responsible
assessment, and 4) for distributing
Providing copiesofofthe
the results thesecurity
IRP to organization
control assessment definedtoincident
their
Throughout
response personnel incident
(identifiedresponse byor process,
name AWS
and/or willand
role) keep the AWS customer’s
organizational elements.senior The IRP must be
management and other individuals roles.
review and updated at anecessary
frequencyparties defined informed
by the incidentof response activities
response policy as totheaddress
investigation
progresses. Under certain
system/organizational changescircumstances,
or problems lawencountered
enforcement agencies
during planmay become involved.
implementation, execution,All or
requestsChanges
testing. for information
to the IRP by law
mustenforcement
be communicated will betohandled by AWS legal incident
organization-defined counsel. responseThe AWS
Security team
personnel will, toby
(identified thenamebest of its ability,
and/or role) and comply with all information
organizational elements. requests as approved by
AWS customers
AWS legal counsel. are Delivered
responsiblematerials for developingwill be areviewed
continuous by monitoring
AWS Legalstrategy to ensure andthat AWS fully
complies
AWS with athe
customers
implementing request,
are responsible
continuous and theforAWS
monitoring Chief the
protecting
program Information
IRP fromSecurity
unauthorized Officer (CISO) will
disclosure and 1) review andfor
AWS customers
compliance. are responsible for developing aincontingency
accordance withfor
plan their security
their systemassessment
that:
modification.
authorization
Identifies policymissions
essential that defines: and for 1) Metrics
business to be monitored,
functions and 2) Frequencies
associated contingency forrequirements,
monitoring and
AWS customers
reporting, and 3) are responsible
Personnel or restoration implementing
roles responsible foran incident
conducting handling
and capability
receiving for security 2)
continuous
Provides
incidents recovery
that objectives,
includes preparation, detectionpriorities, and metrics, 3) Addresses contingency roles,
AWS customers
monitoring
responsibilities, analysisare information.
and responsible
assigned for developing
Pursuant
individuals to and
with this analysis,
ancontinuous
contact Incident containment,
Response
monitoring
information, Plan eradication,
(IRP) that:
program,
4)customers
Addresses AWS and customers
maintaining
recovery
in
1) accordance
areProvides with
theirfor: their
organization incident response policy. In addition, AWS are responsible for2)
N/A responsible
essential
coordinating missions
incidentand businesswith
1) Establishing
handling
aand
functions roadmap
configuring
despite for an implementing
monitoring
information its
for incident
defined
system responsecompromise,
metrics,
disruption, 2)capability,
Monitoring
Describes
and
or
AWS conducting
failure, the structure
assessments
5) Addresses
customers arehow
and as activities
organization
eventual,
responsible
with
of
full1)information
for:
thecontingency
Scanning
incident
for
planning
response
frequencies,
system restoration
vulnerabilities
activities;
capability,
3) in
Conducting
without
their
incorporating
3)deterioration
Provides
ongoingsystem
information
asecurity
high-
of theand
lessons
level
control learned
approach
assessments, from
for ongoing
4) the
Conducting incident
incident handling
response
ongoing activities
capability
security into
fits
status intoincident
thereviewed
monitoring response
overall procedures,
organization,
of their organization- 4)byMeets
security
hosted
training,
AWS safeguards
applications
and
customers originally
at an
testing/exercises;
areCorrelating
responsible planned
and and
implementing
for:analyzing implemented,
1) Monitoring frequency
the and
and/or
resulting
their 6) Is
randomly
changes
information in and
accordingly.
system approved
accordance
to detect: with their
a) functions,
Attacks
the unique
defined requirements
metrics, 5) of the organization,
and which relate
security-related withtothe mission,
information size, structure,
generated and
and
5) indicators
Defines
personnel
process
of monitoring,
potential
reportable and
attacks
incidents,
orwhen
6)
roles new
in
in accordance
accordance
Provides vulnerabilities
metrics with for
contingency
potentially
measuring the affectingplanning
monitoringthe by policy.
objectives
assessments
AWS customers
system/applications and are responsible
are 5) Taking
identified forand appropriate
developing
reported; a2) response
contingency
Employing actions
plan fortoincident
vulnerability address
their response
systemthe results
scanning that:
tools
capability
1)of
andthe
and
withinb) Unauthorized
analysis
Identifiesthe organization,
ofessential
security-relatedlocal, network,
7) Defines
information, and
the remote
resources
and connections;
and
6) Reporting management 2) Identifying
the contingency
security support
status unauthorized
needed
of their use
toorganization
effectively of
AWS customers
techniques
the that aremissions
promote responsible and forbusiness
interoperability functions
distributing
among copies
tools andand associated
of the
automated contingency
parts plan
of the requirements,
to organization-
vulnerability 2)
and information
maintain
Provides
defined keyand
the information
recovery system
mature an through
system
objectives,
contingency incident
personneltheorganization-defined
response
to restoration capability,
priorities,
(identified by name and techniques
and 8)
personnel
metrics,
and/or
and
Is reviewed methods;
orAddresses
by3)role) roles and
and
3)
approved Deploying
atorganizational
the by roles,
organization-
contingency
management
monitoring process
devices:
organization-defined a)by using
Strategically
personnel standards within
oractivities
roles. withfor: thea) Enumerating
information platforms,
system to software
collect flaws,
organization- and
defined frequency.
responsibilities,
elements.
improper and assigned
Contingency
configurations, planning individuals
b) Formatting and must contact
making be locations information,
coordinated
transparent with 4)incident
checklists Addresses
andhandling
test maintaining
activities.
procedures, and
determined
essential essential
missions information
andmust business and
functions b) At ad hoc within the system to track specific
The
c)
types contingency
Measuring
of transactions plan
vulnerability
of be reviewed
impact;
interest to 3)
their atdespite
a frequency
Analyzing
organization;
an information
defined
vulnerability
4) Protecting insystem
scan thereports disruption,
contingency
information and results
obtained
compromise,
planning
fromfrompolicy
AWS
or customers
andfailure,
updated 5) to are responsible
Addresses
address eventual,
changes for
full distributing
information copies
system of restoration
the IRP to organization
without deterioration defined incident
of the
security
response control
intrusion-monitoring
personnel assessments;
tools
(identified from4)byto their
Remediating
unauthorized
nameand
organization,
and/or legitimate
access,
role) and
system,
modification,or environment
vulnerabilities
organizational andwithin
deletion;
elements.
of operation
5)
The Heightening
IRP by
and
must be
security
problems
response safeguards
encountered
times originally
in accordanceduring planned
implementation,
with an implemented,
organizational execution, and 6) Is
or testing.
assessment of reviewed
risk; and and
5) approved
Sharing
the level
review andof information
updated
organization-defined at a system
frequency monitoring
defined activity
by the whenever
incident there
response is an
policy indication
to address of increased
information
risk obtained personnel
to organizational
system/organizational from
operations
changes
or roles in accordance
the vulnerability
and
orfor scanning process
assets, encountered
problems individuals,
with theand
other
contingency
security
duringorganizations,
plan
planning
control
implementation,
policy.
or theassessments
Nation basedor
execution,
AWS
with
on law customers
enforcement are information,
responsiblepersonnel communicating
or roles toinformation,
intelligence helpto contingency
eliminate plan
similar
or other changes
vulnerabilities
credible to organization-
sources ininformation;
of other
testing.
AWS
defined Changes
customers
personnel toand
are the IRPprotecting
responsible
for mustfor be communicated
distributing
the contingency copies organization-defined
of the
plan from contingency
unauthorized incident
plan response
to organization-
disclosure and
information
6) Obtaining systems (i.e.,
legal opinion systemic
withand/or
regardweaknesses
to information or deficiencies).
personnel
defined key
modification. (identified
contingency by name personnel role)
(identified andby namesystem
organizational and/ormonitoring
elements.
by role) and activities
organizational in accordance
with applicable
elements. federal
Contingency laws, Executive
planningtesting activities Orders, directives,
must be coordinated policies,
with or regulations;
incident handling and 7)
activities.
Prior to
Providing conducting penetration
organization-defined information or vulnerability scanning activities, AWS customers are
AWS customers
The contingency
required to request
are
plan responsible
must be reviewed for protecting a system
atthe the IRP
frequency monitoring
from
defined information
unauthorized
in the contingency to organization-
disclosure and policy
planning
defined personnel
modification.
and updated orauthorization
to address roles as needed
changes
through
to their or in followingwith
accordance
organization,
URL:
system, an or
environment of operation frequency. and
problems encountered during implementation, execution, or testing.
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS Specific (Postgres,
AWS
MySQL,customers are SQL
MariaDB, responsible
Server, for communicating
Aurora, contingency
Oracle): AWS Customersplan
arechanges to organization-
responsible for meeting
defined
scanningpersonnel and for
requirements on protecting the contingency
their databases plan
in accordance from
with unauthorized disclosure
organization-defined and
frequency
modification.
and/or when new vulnerabilities have been identified. Also, AWS Customers are required to
remediate legitimate findings within the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service. AWS
Customers offload database management tasks such as hardware or software provisioning, setup
and configuration,
AWS customers aresoftware
responsiblepatching, operating a reliable,
for implementing distributed
an incident handlingdatabase cluster,
capability or
for security
partitioning
incidents thatdata over multiple
includes instances
preparation, as you scale.
AWS customers are responsible for detection
developing andananalysis,
Incidentcontainment,
Response Plan eradication,
(IRP) that:and recovery
in accordance
1) Provides their with their incident
organization with response
a roadmappolicy. In addition, AWS
for implementing customers
its incident are responsible
response capability,for2)
N/A
coordinating
Describes theincident
structurehandling activities of
and organization with
thecontingency planning
incident response activities;
capability, 3) incorporating
Provides a high-
lessons
level learnedfor
approach fromhowongoing incident
the incident handling
response activities
capability into
fits intoincident response
the overall procedures,
training,
the unique and testing/exercises;
requirements of the and implementing
organization, whichthe resulting
relate changes
to mission, accordingly.
size, structure, and functions,
AWS customers
5) Defines are responsible
reportable incidents, 6) for: 1) Receiving
Provides metricsinformation
for measuringsystemthe security
incident alerts, advisories,
response capability
and
AWS directives
within customers from
are organization-defined
the organization, 7) Defines
responsible forthe external
resources
reviewing organizations
andand management
analyzing on support
audit an ongoing
records anbasis,
needed
at 2) Generating
to effectively
organization-
internal
defined security
maintainfrequency
and mature alerts,
foran advisories, ofand
incident response
indications directives as deemed
capability,
organization-definedand 8) necessary,
Is reviewed3)
inappropriate Disseminating
and
or approved
unusual by security
activity and
alerts, advisories,
reporting andpersonnel
these findings directives ortoroles.
to organization-defined personnel personnel,
or roles inroles, organizational
accordance elements
with their audit
and/or
and external organizations,
accountability policy. and 4) Implementing security directives in accordance with
established
AWS customers time frames or notifying
are responsible the issuing organization
for distributing copies of the of IRPthetodegree of noncompliance.
organization defined incident
modification.
implementing
AWS customers a continuous monitoring
are responsible program inan
for implementing accordance with theircapability
incident handling security assessment
for securityand
authorization
incidents that policy
includes that defines: 1)detection
preparation, Metrics toand be analysis,
monitored, 2) Frequencies
containment, for monitoring
eradication, and
and recovery
AWS customers
reporting, 3) are
and with responsible
Personnel for responsible
or roles tracking and documenting
for information system security
in accordance
incidents. their incident response policy. Inconducting and receiving
addition, AWS customers continuous
are responsible for
N/A
monitoring analysis information. Pursuant to this continuous monitoring
coordinating incident handling activities with contingency planning activities; incorporating program, AWS customers
are
AWS responsible
customers for:
are 1) Establishing
responsible for: and
1) configuring
Monitoring monitoring
their for
information
lessons learned from ongoing incident handling activities into incident response procedures,defined
system metrics,
to detect: 2) Monitoring
a) Attacks
and conducting
indicators ofassessments
potential as and
attacks thefrequencies, 3) Conducting ongoing security
training,
AWS and testing/exercises;
customers are responsible forinimplementing
accordanceawith
developing organization-defined
resulting
contingency changes
plan monitoring
system that:objectives
accordingly.
for their 1)
control
and assessments, 4)
b) Unauthorized Conducting
local, network, ongoing
and remote security status monitoring
connections; of their
2) Identifying organization-
unauthorized use of
Identifies essential missions and business functions and associated contingency requirements, 2)
defined
the metrics,system
information 5) Correlating
through and analyzing security-related
organization-defined information
techniques andAddresses generated
methods; by
3) Deploying
Provides recovery objectives, restoration priorities, and metrics, 3) contingency roles,
assessmentsdevices:
monitoring and monitoring,
a) 5) Taking
Strategically appropriate
within the responsesystem
information actionstotocollect
address the results of the
organization-
responsibilities, and assigned individuals with contact information, 4) Addresses maintaining
analysis of security-related
determined essential information,
information and b) andad6)hoc
At Reporting
locationsthewithin
securitythestatus
system ofto
their
trackorganization
specific
essential missions and business functions despite an information system disruption, compromise,
and the
types ofinformation
transactions system
of to the
interest to organization-defined
their organization; 4) personnel
Protecting orinformation
roles at theobtained
organization- from
or failure, 5) Addresses eventual, full information system restoration without deterioration of the
defined frequency. tools from unauthorized access, modification, and deletion; 5) Heightening
intrusion-monitoring
security safeguards originally planned and implemented, and 6) Is reviewed and approved by
the level of information
organization-defined system or
personnel monitoring activity whenever
roles in accordance with thethere is an indication
contingency planningofpolicy.
increased
risk to organizational operations and assets, individuals, other organizations, or the Nation based
on
AWS lawcustomers
enforcement are information,
responsible for intelligence
distributing information,
copies of the or other credibleplan
contingency sources of information;
to organization-
6) Obtaining legal opinion with regard to information system monitoring
defined key contingency personnel (identified by name and/or by role) and organizational activities in accordance
with applicable
elements. federal laws,
Contingency planningExecutive
activities Orders,
must directives,
be coordinated policies,
with or regulations;
incident handlingandactivities.
7)
Providing organization-defined
The contingency information
plan must be reviewed at a system
frequency monitoring information
defined in to organization-
the contingency planning policy
defined
and personnel
updated or roles
to address as needed
changes to theiror in accordancesystem,
organization, with an or
environment of operation frequency.and
AWS customers are responsible for communicating contingency plan changes to organization-
AWS customers are responsible for implementing an incident handling capability for security
incidents that includes preparation, detection and analysis, containment, eradication, and recovery
in accordance with their incident response policy. In addition, AWS customers are responsible for
coordinating incident handling activities with contingency planning activities; incorporating
lessons learned from ongoing incident handling activities into incident response procedures,
training, and testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for implementing and configuring an audit reduction and report
generation capability
AWS customers that: 1) Supports
are responsible on-demand an
for implementing audit review,
incident analysis,
handling and reporting
capability for security
requirements
incidents that and after-the-fact
includes investigations
preparation, of security
detection and analysis,incidents and 2)eradication,
containment, Does not alter
and the
recovery
original content
in accordance or time
with their ordering
incident of audit records.
response policy. In addition, AWS customers are responsible for
Identifies
AWS essential
customers aremissions
responsibleand for
business functionsanand
implementing associated
incident handlingcontingency
capability requirements,
for security 2)
Provides recovery
incidents objectives,
that includes restoration
preparation, priorities, and metrics, 3) Addresses contingency roles,
AWS customers
responsibilities, are assigned
and responsible for detection and documenting
tracking and
individuals
analysis, containment,
information eradication, and recovery
systemmaintaining
security
in accordance with
incidents. their incident responsewith contact
policy. information,
In addition, AWS4)customers
Addresses are responsible for
AWS customers
essential missions
coordinating are
incident responsible
and handling for developing
businessactivities
functions despite
with ananIncident Response
information
contingency planning system Plan (IRP)
disruption,
activities; that:
compromise,
incorporating
1)
or Provides
failure,
lessons 5)their
learned organization
Addresses
from withfull
eventual,
ongoing a roadmap
incident handlingfor
information implementing
system into
activities its incident
restoration
incident without response
response capability,
deterioration
procedures, of the 2)
Describes
training, thetesting/exercises;
and structure
security safeguards and organization
originally planned ofimplemented,
and the incident
and implementing response Iscapability,
and 6)changes
the resulting reviewed 3)
andProvides
accordingly.approved a high-
by
level approach for how
organization-defined the incident
personnel response
or roles capabilitywith
in accordance fits the
intocontingency
the overall organization,
planning policy. 4) Meets
the unique requirements of the organization, which relate to mission, size, structure, and functions,
5)
AWSDefines reportable
customers incidents, 6)
are responsible forProvides metrics
distributing for of
copies measuring the incident
the contingency plan response capability
to organization-
within
definedthekeyorganization,
contingency7) Defines (identified
personnel the resourcesby and
name management
and/or by role) support
and needed to effectively
organizational
maintain
elements.and mature anplanning
Contingency incident response
activities capability, and 8) Is reviewed
must be coordinated and approved
with incident by
handling activities.
The contingency planpersonnel or roles. at a frequency defined in the contingency planning policy
must be reviewed
and updated to address changes to their organization, system, or environment of operation and
AWS customers
problems are responsible
encountered for distributingexecution,
during implementation, copies of or thetesting.
IRP to organization defined incident
review and updated
AWS customers are at a frequency
responsible fordefined by the incident
communicating response
contingency planpolicy to address
changes to organization-
defined personnel and changes or problems
for protecting encountered
the contingency planduring
from plan implementation,
unauthorized disclosure execution,
and or
modification.
modification.
AWS customers are responsible for: 1) Receiving information system security alerts, advisories,
and
N/Adirectives from organization-defined external organizations on an ongoing basis, 2) Generating
internal security alerts, advisories, and directives as deemed necessary, 3) Disseminating security
alerts, advisories, and directives to organization-defined personnel, roles, organizational elements
and/or external organizations, and 4) Implementing security directives in accordance with
AWS customers
established are responsible
time frames for implementing
or notifying an incidentofhandling
the issuing organization capability
the degree for security
of noncompliance.
implementing a continuous monitoring program in accordance with their security assessment and
authorization policy that defines: 1) Metrics to be monitored, 2) Frequencies for monitoring and
reporting, and 3) Personnel or roles responsible for conducting and receiving continuous
monitoring analysis information. Pursuant to this continuous monitoring program, AWS customers
are responsible for: 1) Establishing and configuring monitoring for defined metrics, 2) Monitoring
and conducting assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their organization-
defined metrics, 5) Correlating and analyzing security-related information generated by
assessments and monitoring, 5) Taking appropriate response actions to address the results of the
analysis of security-related information, and 6) Reporting the security status of their organization
and the information system to the organization-defined personnel or roles at the organization-
defined frequency.
AWS customers are responsible for: 1) Conducting an assessment of risk to include the likelihood
and magnitude
AWS customersofareharm from the for:
responsible unauthorized
1) Scanning access, use, disclosure,
for vulnerabilities in disruption, modification,
their information system orand
destruction
hosted of their information
applications system and thefrequency
at an organization-defined information it processes,
and/or randomlystores, or transmits,
in accordance with2)their
Documenting risk assessment
organization-defined results
process and when in new
the system plan, security
vulnerabilities assessment
potentially report,
affecting the or other
organization-definedare
system/applications document,
identified3)and
Reviewing
reported;risk assessment vulnerability
2) Employing results at an organization-defined
scanning tools and
frequency, 4)
techniques thatDisseminating risk assessment
promote interoperability amongresults
toolstoand
automated parts ofpersonnel or roles, and
the vulnerability
5) Updating the
management risk assessment
process at an organization-defined
by using standards for: a) Enumeratingfrequency
platforms,orsoftware
wheneverflaws,
thereand
are
significantconfigurations,
improper changes to theb) information
Formattingsystem or environment
and making transparent ofchecklists
operation and
(including the
test procedures, and
identification
c) of new threatsimpact;
Measuring vulnerability and vulnerabilities)
3) Analyzing or other conditions
vulnerability that may
scan reports and impact
resultsthe security
from
state of the
security system.
control assessments; 4) Remediating legitimate vulnerabilities within organization-defined
information obtained from the vulnerability scanning process and security control assessments
with organization-defined personnel or roles to help eliminate similar vulnerabilities in other
information systems (i.e., systemic weaknesses or deficiencies).
Prior to conducting penetration testing or vulnerability scanning activities, AWS customers are
required to request authorization through the following URL:
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS Specific (Postgres,
Identifies essential missions and business functions and associated contingency requirements, 2)
Provides recovery objectives, restoration priorities, and metrics, 3) Addresses contingency roles,
responsibilities, and assigned individuals with contact information, 4) Addresses maintaining
essential missions and business functions despite an information system disruption, compromise,
or failure, 5) Addresses eventual, full information system restoration without deterioration of the
security safeguards originally planned and implemented, and 6) Is reviewed and approved by
organization-defined personnel or roles in accordance with the contingency planning policy.
AWS customers are responsible for distributing copies of the contingency plan to organization-
defined key contingency personnel (identified by name and/or by role) and organizational
elements. Contingency planning activities must be coordinated with incident handling activities.
The contingency plan must be reviewed at a frequency defined in the contingency planning policy
and updated to address changes to their organization, system, or environment of operation and
AWS customers are responsible for communicating contingency plan changes to organization-
modification.
incidents
AWS that includes
customers preparation,
are responsible for detection
developing andananalysis,
in accordance
1) Provides with
their their incident
organization withresponse policy. In addition, AWS customers are responsible for2)
AWS customers
coordinating are responsible foradeveloping
roadmap for implementing
a contingency planits for
incident response
their system capability,
that: 1)
Describes
Identifies theincident
structure
essential
handling
missions and
activities
and organization
business
with
of thecontingency
incident
functions
planning
and response
associated
activities;
capability,
contingency 3) incorporating
Provides a high-
requirements, 2)
lessons
level learned
approach from
for howongoing
the incident
incident handling
response activities
capability into
fits incident
into the response
overall procedures, Meets
organization,
Provides and
training, recovery objectives, restoration
testing/exercises; and priorities,
implementing theand metrics,changes
resulting 3) Addresses contingency4)roles,
accordingly.
the unique requirements of the organization, which relate to mission, size, structure,
responsibilities, and assigned individuals with contact information, 4) Addresses maintaining and functions,
5) Defines
essential reportable
missions andincidents, 6) Provides
business functions metrics
despite an for measuringsystem
information the incident response
disruption, capability
compromise,
within the 5)
or failure, organization, 7) Definesfull
Addresses eventual, theinformation
resources and management
system restoration support
withoutneeded to effectively
deterioration of the
maintain and matureoriginally
security safeguards an incident response
planned andcapability,
implemented, and and
8) Is6)reviewed
Is reviewed and and
approved by by
approved
organization-defined personnel
organization-defined personnel oror roles
roles.in accordance with the contingency planning policy.
AWS customers
AWS customers are
are responsible
responsible for
for distributing
distributing copies
copies of
of the
the contingency
IRP to organization
plan to defined incident
organization-
responsekey
defined personnel (identified
contingency by name
personnel and/or by
(identified role) andand/or
name organizational elements.
by role) and The IRP must be
organizational
review andContingency
elements. updated at aplanning
frequency defined must
activities by thebeincident response
coordinated withpolicy to handling
incident address activities.
The changes
contingency plan must or problems
be reviewed at aencountered during in
frequency defined plan
theimplementation, execution,
contingency planning or
policy
testing.
and Changes
updated to the IRP
to address musttobetheir
changes communicated
organization, tosystem,
or environment incident response
of operation and
personnel encountered
problems (identified byduring
nameimplementation,
and/or role) and execution,
organizational elements.
or testing.
AWS customers
AWS customers are
are responsible
responsible for
for communicating
protecting the IRP from unauthorized
contingency disclosure
plan changes and
to organization-
modification.
modification.
incidents
AWS that includes
customers preparation,
are responsible for detection
developingandananalysis,
in accordance
1) Provides theirwith their incident
organization withresponse policy.
a roadmap In addition, AWS
for implementing customers
its incident are responsible
response capability,for2)
coordinating
Describes theincident
structurehandling activities of
and organization with
thecontingency planning
incident response activities;
capability, 3) incorporating
Provides a high-
lessons
level learnedfor
approach from
howongoing incident
the incident handling
response activities
capability into
fits incident
into response
the overall procedures,
training,
the uniqueand testing/exercises;
requirements of the and implementing
organization, whichthe resulting
relate changes
to mission, accordingly.
size, structure, and functions,
5) Defines reportable incidents, 6) Provides metrics for measuring the incident response capability
within the organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved by
organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization defined incident
modification.
Note:
Recovery Planning (RC.RP): Recovery RC.RP-1: Recovery plan is executed · CIS CSC 10 AWS Certifications, Customer Responsibility CP-10 The AWS business continuity plan details the three-phased approach that AWS
processes and procedures are executed and during or after an event · COBIT 5 APO12.06, DSS02.05, DSS03.04 has developed to recover and reconstitute the AWS infrastructure:
maintained to ensure timely restoration of · ISO/IEC 27001:2013 A.16.1.5 • Activation and Notification Phase
systems or assets affected by cybersecurity · NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8 • Recovery Phase
events. • Reconstitution Phase
efforts in a methodical sequence, maximizing the effectiveness of the recovery
and reconstitution efforts and minimizing system outage time due to errors and
omissions.
AWS maintains a ubiquitous security control environment across all regions.
Each data center is built to physical, environmental, and security standards in an
active-active configuration, employing an n+1 redundancy model to ensure
system availability in the event of component failure. Components (N) have at
least one independent backup component (+1), so the backup component is
active in the operation even if all other components are fully functional. In order
to eliminate single points of failure, this model is applied throughout AWS,
including network and data center implementation. All data centers are online
and serving traffic; no data center is “cold.” In case of failure, there is sufficient
capacity to enable traffic to be load-balanced to the remaining sites.
outlined in the service agreement with AWS. AWS’s commitment to all AWS
customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any customer
data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized
access results in loss, disclosure, or alteration of customer data, AWS will
promptly notify the customer and take reasonable steps to reduce the effects of
this security incident.
Because AWS manages the infrastructure and the security controls that apply to
it, AWS can:
promptly notify the customer. AWS does this regardless of whether the
customer's content is sensitive or not, because AWS does not know what the
customer content is and protects all customer content in the same robust way.
IR-8 AWS has implemented a formal, documented incident response policy and
program. The policy addresses purpose, scope, roles, responsibilities, and
management commitment.
1. Activation and Notification Phase – Incidents for AWS begin with the
detection of an event. Events originate from several sources such as:
alarming of real time metrics and service dashboards. The majority of incidents
are detected in this manner. AWS uses early indicator alarms to proactively
identify issues that may ultimately impact customers.
program resolvers (e.g., AWS Security). The resolvers will perform an analysis
of the incident to determine if additional resolvers should be engaged and to
incident. After addressing troubleshooting, break fix and affected components,
the call leader will assign follow-up documentation and follow-up actions and
end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase
complete after the relevant fix activities have been addressed. The post mortem
and deep root cause analysis of the incident will be assigned to the relevant
team. The results of the post mortem will be reviewed by relevant senior
management and actions and captured in a Correction of Errors (COE)
document and tracked to completion.
discovery of previously unknown defects and failure modes. In addition, it
allows the AWS Security and service teams to test the systems for potential
customer impact and further prepare staff to handle incidents such as detection
and analysis, containment, eradication, and recovery, and post-incident
Improvements (RC.IM): Recovery planning RC.IM-1: Recovery plans · COBIT 5 APO12.06, BAI05.07, DSS04.08 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
and processes are improved by incorporating incorporate lessons learned · ISA 62443-2-1:2009 4.4.3.4 procedures to respond to a serious outage or degradation of AWS services,
lessons learned into future activities. · ISO/IEC 27001:2013 A.16.1.6, Clause 10 including the recovery model and its implications on the business continuity
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 plan.
Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO
it, AWS can:
RC.IM-2: Recovery strategies are · COBIT 5 APO12.06, BAI07.08 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
updated · ISO/IEC 27001:2013 A.16.1.6, Clause 10 procedures to respond to a serious outage or degradation of AWS services,
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 including the recovery model and its implications on the business continuity
plan.
it, AWS can:
Communications (RC.CO): Restoration RC.CO-1: Public relations are · COBIT 5 EDM03.02 Customer Responsibility N/A
activities are coordinated with internal and managed · ISO/IEC 27001:2013 A.6.1.4, Clause 7.4
external parties, such as coordinating centers,
Internet Service Providers, owners of attacking
systems, victims, other CSIRTs, and vendors.
RC.CO-2: Reputation after an event · COBIT 5 MEA03.02 Customer Responsibility N/A
is repaired · ISO/IEC 27001:2013 Clause 7.4
RC.CO-3: Recovery activities are · COBIT 5 APO12.06 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
communicated to internal · ISO/IEC 27001:2013 Clause 7.4 procedures to respond to a serious outage or degradation of AWS services,
stakeholders and executive and · NIST SP 800-53 Rev. 4 CP-2, IR-4 including the recovery model and its implications on the business continuity
management teams plan.
it, AWS can:
AWS customers are responsible for providing for the recovery and
reconstitution of the information system to a known state after a
disruption, compromise, or failure.
AWS customers are responsible for implementing an incident

handling capability for security incidents that includes preparation,
detection and analysis, containment, eradication, and recovery in
accordance with their incident response policy. In addition, AWS
customers are responsible for coordinating incident handling activities
with contingency planning activities; incorporating lessons learned
from ongoing incident handling activities into incident response
procedures, training, and testing/exercises; and implementing the
resulting changes accordingly.
AWS customers are responsible for developing an Incident Response

Plan (IRP) that:
1) Provides their organization with a roadmap for implementing its
incident response capability, 2) Describes the structure and
organization of the incident response capability, 3) Provides a high-
level approach for how the incident response capability fits into the
overall organization, 4) Meets the unique requirements of the
organization, which relate to mission, size, structure, and functions, 5)
Defines reportable incidents, 6) Provides metrics for measuring the
incident response capability within the organization, 7) Defines the
resources and management support needed to effectively maintain and
mature an incident response capability, and 8) Is reviewed and
approved by organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to

organization defined incident response personnel (identified by name
and/or role) and organizational elements. The IRP must be review and
updated at a frequency defined by the incident response policy to
address system/organizational changes or problems encountered
during plan implementation, execution, or testing. Changes to the IRP
must be communicated to organization-defined incident response
personnel (identified by name and/or role) and organizational
elements.
AWS customers are responsible for protecting the IRP from

AWS customers are responsible for developing a contingency plan for

their system that: 1) Identifies essential missions and business
functions and associated contingency requirements, 2) Provides
recovery objectives, restoration priorities, and metrics, 3) Addresses
contingency roles, responsibilities, and assigned individuals with
contact information, 4) Addresses maintaining essential missions and
business functions despite an information system disruption,
compromise, or failure, 5) Addresses eventual, full information
system restoration without deterioration of the security safeguards
originally planned and implemented, and 6) Is reviewed and approved
by organization-defined personnel or roles in accordance with the
contingency planning policy.
AWS customers are responsible for distributing copies of the

contingency plan to organization-defined key contingency personnel
(identified by name and/or by role) and organizational elements.
Contingency planning activities must be coordinated with incident
handling activities. The contingency plan must be reviewed at a
frequency defined in the contingency planning policy and updated to
address changes to their organization, system, or environment of
operation and problems encountered during implementation,
execution, or testing.


Plan (IRP) that:

elements.






Plan (IRP) that:

elements.

N/A
N/A




AWS - Services - and - Customer - Responsibility - Matrix - For - Alignment To CSF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AWS - Services - and - Customer - Responsibility - Matrix - For - Alignment To CSF

Hochgeladen von

Copyright:

Verfügbare Formate

Note:

Technology - AWS employes various technologies to streamline and automate

PM-5 N/A N/A

PM-5 N/A N/A

AWS implements least privilege throughout its infrastructure components. AWS

AWS customers are responsible for distributing copies of the contingency

AWS customers are responsible for communicating contingency plan

SA-14 N/A N/A

AWS customers are responsible for distributing copies of the contingency

AWS customers are responsible for communicating contingency plan

PM-11 N/A N/A

AWS customers are responsible for communicating contingency plan

AWS customers are responsible for distributing copies of the contingency

AWS customers are responsible for communicating contingency plan

SA-13 N/A N/A

PM-2 N/A N/A

Policies are reviewed approved by AWS leadership at least annually or following a

Policies are reviewed approved by AWS leadership at least annually or following a

PM-11 N/A N/A

Prior to conducting penetration testing or vulnerability scanning activities,

RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle):

DynamoDB Specific: This service is a fully managed cloud NoSQL

The AWS service, including application programming interfaces (APIs), are

RDS Specific (MySQL, MariaDB, SQL Server and Postgres): AWS

RDS Specific (Oracle): AWS Customers are responsible for identifying,

SA-14 N/A N/A

Cardholder access to data centers is reviewed quarterly. Cardholders marked for

PM-13 Role-based training is provided. Much of this training is provided on an ongoing

AWS customers are responsible for developing, documenting,

AWS customers are responsible for developing, documenting,

More information on implementing these functions using IAM is

AWS customers are responsible for: 1) Establishing personnel security

AWS customers are responsible for establishing and managing

More information on these encryption options is available at

AWS customers are responsible for implementing mechanisms to

AWS customers are responsible for developing, documenting,

AWS customers are responsible for requiring the developer of their

AWS customers are responsible for conducting security assessments

AWS customers are responsible for developing, documenting,

More information on implementing logging with an AWS account is

AWS customers are responsible for defining auditing requirements,

AWS customers are responsible for configuring their systems to

More information on securing an Amazon VPC is available at

CA-3 A. There are no system interconnections.

CM-2 AWS has established formal policies and procedures to provide

SI-4 AWS deploys monitoring devices throughout the environment to collect

CA-7 AWS conducts monthly monitoring of its security posture through a

CA-7 AWS conducts monthly monitoring of its security posture through a

IR-8 AWS has implemented a formal, documented incident response policy

RA-3 AWS performs a continuous risk assessment process to identify,

SI-4 AWS deploys monitoring devices throughout the environment to collect

IR-8 AWS has implemented a formal, documented incident response policy

AU-12 AWS deploys monitoring devices throughout the environment to collect

CA-7 AWS conducts monthly monitoring of its security posture through a

CM-3 AWS applies a systematic approach to managing change to ensure that

SC-7 Several network fabrics exist at Amazon, each separated by boundary

SI-4 AWS deploys monitoring devices throughout the environment to collect

Physical access points to server locations are recorded by closed circuit

PE-6 Physical access to all AWS data centers housing IT infrastructure

CM-10 AWS maintains a systematic approach, to planning and developing new

• Security Risk Assessment

AWS implements open source software or custom code within its

SA-4 AWS maintains a systematic approach to planning and developing new