Find AWS-compliant frameworks and more helpful resources
70% of security team members are reporting that security has shifted left. This means more teams are integrating security measures earlier in the development cycle. Amazon Web Services (AWS) gives its customers a reliable baseline upon which they can build countless cloud-based products. And it’s done so for quite some time. Since its initial launch in 2002, AWS has steadily expanded its options for:
- Compute power
- Database storage
- So much more
It has become an essential backbone of the modern web.
Just as important is Amazon’s continued commitment to compliance in AWS. It helps developers work toward essential certifications and other independently audited recognitions in their respective industries. But simply building your platform on AWS’ control environment isn’t enough to assure compliance in all relevant areas.
Here is the approach AWS takes to sharing compliance responsibilities with its customers. You’ll also discover how you can find all the resources you need to build and maintain a compliant service on the platform.
Key Takeaways
- AWS compliance is a shared responsibility between AWS and the customer.
- AWS offers robust tools and frameworks to support compliance.
- Automation with DevOps resources like DuploCloud can fast-track compliance by reducing your team’s time and effort.
Jump to a section…
What Resources for Compliance in AWS Are Available?
AWS Compliance List of Services
Implement Compliance Frameworks in Weeks With DuploCloud
What Resources Are Available for AWS Compliance Best Practices?
The official compliance in AWS resources provided to developers by Amazon are distributed across two central repositories. First the main AWS Compliance page includes AWS compliance lists. It offers various types of accreditations broken down by location and industry. Second, AWS Artifact is an automated compliance reporting tool. This systems manager compiles AWS and independent software vendor (ISV) compliance reports in one self-service portal.
We'll break down these resources in greater detail. But first, it's important to understand AWS’ overall philosophy for collaborative compliance. This is fully presented in the AWS Shared Responsibility model. To sum up:
- AWS takes responsibility for AWS cloud security. This means it verifies and protects the infrastructure that runs the AWS service in the Cloud. These include AWS KMS, AWS WAF, AWS IAM, and more.
- AWS customers take responsibility for AWS security in the cloud. This means they follow AWS security best practices. In essence, they protect their customer data, platform, and operating system. They also monitor traffic that runs atop the cloud structure furnished by Amazon.
In other words, simply building a cloud service on AWS doesn’t mean you will inherit any built-in compliance controls for your service. Of course, you'll get the fundamental infrastructure that allows it to exist. However, the AWS security hub does offer an extensive library of third-party attestations and certifications.
This means customers may be relieved of certain validation work otherwise required to demonstrate compliance in their IT environment.
In short, you will be able to get a leg up on reaching compliance for your specific product. So you won't have to build all that infrastructure from scratch. As one example, businesses that wish to pursue SOC 2 compliance through a third-party AICPA auditor can access Amazon’s SOC 2 Report directly from AWS Artifact.
For further guidance as you navigate the SOC 2 process, regardless of your choice of cloud platform, you can download our free Complete SOC 2 Compliance Checklist.
Okay, the groundwork has been laid. Now, here are some more specific AWS compliance best practices resources offered by Amazon.
General Resources
For the strongest possible starting point for reaching SOC 2 compliance and beyond, start by reading the Amazon Web Services: Risk and Compliance whitepaper. You can read this document on your coffee break. It lays out AWS’ general approach to the concept of compliance in language that is approachable. This is true for a security group, a technical position, or for executive decision-makers. It's got all the AWS security best practices you could want.
To be clear, AWS does not dictate how services built on its infrastructure must operate to reach compliance. At the same time, it does advise its customers to follow the AWS Well-Architected Framework. This is built on the six pillars of:
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimization
- Sustainability
The Well-Architected Framework will help ensure your AWS organization is optimally positioned to capitalize on the groundwork Amazon has laid toward compliance.
AWS also features dedicated resources for businesses that wish to pursue Cloud Security Alliance Security Trust Assurance and Risk (CSA STAR) certification. This includes a completed CSA Consensus Assessments Initiative Questionnaire as part of AWS security best practice.
Country-Specific Resources
Compliance requirements vary depending on where you do business. The AWS environment hosts a range of resources to educate customers. You'll learn what AWS does to help you reach compliance. This includes AWS security tools for your AWS account. You'll also understand what you'll need to do next, based on your location and industry.
- Cloud businesses operating in the financial sector must take special care to follow the dictates of both their home nation and anywhere they may offer their services. AWS offers a filterable list of over 60 countries, complete with information on which governmental bodies regulate financial businesses and key data privacy and protection considerations for companies that use AWS.
- Healthcare businesses must hew to similarly strict compliance standards. AWS offers a country-by-country breakdown of global certifications and accreditations. These include such as HIPAA, HITRUST, and GDPR.
- SOC reports and ISO 27001 certification information are both available on the AWS site.
AWS Compliant Frameworks
Amazon currently offers a pair of ready-to-deploy solutions for those in search of AWS compliant frameworks for security and governance:
- Landing Zone Accelerator on AWS, which deploys a cloud foundation built to align with AWS best practices and multiple global compliance frameworks.It helps organizations rapidly establish a multi-account AWS environment. This environment meets stringent security and compliance requirements out of the box. That way, you reduce manual setup and risk.
- Verifiable Controls Evidence Store, which supports a mechanism to centrally store evidence issued by cloud security controls around AWS workloads. This centralized evidence repository simplifies audit preparation. It also simplifies continuous compliance tracking. It then becomes easier to demonstrate adherence to standards such as SOC 2, HIPAA, and ISO 27001.
These tools are ideal for businesses that want to minimize time-to-compliance. At the same time, they can maintain scalability and control over their infrastructure.
AWS Compliance List of Services
Amazon Web Services provides certifications and attestations assessed by third-party, independent auditors. You can find more information about each of its certifications, audit reports, and attestations of compliance on the AWS Compliance Programs page.
Meanwhile,you can learn about the generally available services AWS offers in the scope of its compliance programs. Simply consult Amazon’s list organized by governing bodies.
Implement Compliance Frameworks in Weeks With DuploCloud
Even with extensive documentation, building your cloud service on AWS means you’re responsible for ensuring your infrastructure’s compliant controls translate to a compliant product. This can mean redirecting substantial resources at a crucial time in your product’s development. One compelling answer to this dilemma is to use a DevOps automation platform.
DuploCloud seamlessly provisions your cloud-native infrastructure with compliance from the beginning. We implement pre-programmed knowledge of more than 500 cloud services. These automatically incorporate best practices around:
- Security
- Availability
- Compliance
So you can focus your development resources on creating a standout product. You’ll inherently be following almost all AWS compliance best practices just by working with us. If you’d like to see DuploCloud in action, sign up for a personalized one-on-one walkthrough today.
FAQs
What is the AWS Shared Responsibility Model, and why does it matter for compliance?
The AWS Shared Responsibility Model outlines who is responsible for what when it comes to cloud security and compliance. AWS is responsible for securing the infrastructure that runs all the services.
The customers are responsible for securing their data, applications, and configurations in the cloud. Understanding this model is critical. It clarifies where your team must take action to meet compliance standards like SOC 2, HIPAA, or ISO 27001.
How can AWS Artifact help with my compliance efforts?
AWS Artifact is a self-service portal that provides on-demand access to AWS’s compliance reports and security certifications. These include SOC 2 and ISO 27001. This tool simplifies the audit process. It does this by centralizing all documentation necessary to demonstrate compliance with various industry standards.
What are some AWS best practices for maintaining compliance in 2025?
Start by following the AWS Well-Architected Framework, which emphasizes six key pillars. These are Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability.
Additionally, use tools like AWS Security Hub and adopt services like the Landing Zone Accelerator. This can ensure you’re aligned with modern compliance frameworks.
How does DuploCloud simplify AWS compliance for early-stage teams?
DuploCloud automates the provisioning of cloud infrastructure with compliance built in from the start. DuploCloud offers over 500 cloud services pre-configured to follow best practices in security, availability, and compliance.
As such, we enable startups and growing teams to meet AWS compliance standards quickly. Sometimes it only takes weeks. And you won’t need to divert engineering resources from product development.
