Find AWS compliant frameworks and more helpful resources
Amazon Web Services (AWS) gives its customers a reliable baseline upon which they can build countless cloud-based products. And it’s done so for quite some time — since its initial launch in 2002, AWS has steadily expanded its options for compute power, database storage, and more, eventually becoming an essential backbone of the modern web.
Just as important is Amazon’s continued commitment to compliance in AWS, which helps developers work toward essential certifications and other independently audited recognitions in their respective industries. But simply building your platform on AWS’ control environment isn’t enough to assure compliance in all relevant areas. Here is the approach AWS takes to sharing compliance responsibilities with its customers and how you can find all the resources you need to build and maintain a compliant service on the platform.
Jump to a section…
What Resources for Compliance in AWS Are Available?
AWS Compliance List of Services
Implement Compliance Frameworks in Weeks With DuploCloud
What Resources Are Available for Compliance in AWS?
The official compliance in AWS resources provided to developers by Amazon are distributed across two central repositories: the main AWS Compliance page, which includes AWS compliance lists for various types of accreditations broken down by location and industry; and AWS Artifact, an automated compliance reporting tool that compiles AWS and independent software vendor (ISV) compliance reports in one self-service portal.
Before we break down these resources in greater detail, it’s important to understand AWS’ overall philosophy for collaborative compliance. This is fully presented in the AWS Shared Responsibility model, but in short:
- AWS takes responsibility for security of the cloud, meaning it verifies and protects the infrastructure that runs all the services offered in the AWS Cloud.
- AWS customers take responsibility for security in the cloud, meaning they must protect their customer data, platform, operating system, and traffic that runs atop the cloud structure furnished by Amazon.
In other words, simply building a cloud service on AWS doesn’t mean you will inherit any built-in compliance controls for your service beyond the fundamental infrastructure that allows it to exist. However, the extensive library of third-party attestations and certifications that AWS provides means customers may be relieved of certain validation work otherwise required to demonstrate compliance in their IT environment. In short, you will be able to get a leg up on reaching compliance for your specific product compared to building all that infrastructure from scratch.
As one example, businesses that wish to pursue SOC 2 compliance through a third-party AICPA auditor can access Amazon’s SOC 2 Report directly from AWS Artifact.
For further guidance as you navigate the SOC 2 process, regardless of your choice of cloud platform, you can download our free Complete SOC 2 Compliance Checklist.
With that groundwork laid, here are some more specific compliance in AWS resources offered by Amazon.
General Resources
For the strongest possible starting point for reaching compliance in AWS, you should start by reading the Amazon Web Services: Risk and Compliance whitepaper. This document, which is readable in the space of a coffee break, lays out AWS’ general approach to the concept of compliance in language that is approachable for both technical positions and executive decision-makers.
Though AWS does not dictate how services built on its infrastructure must operate to reach compliance, it does advise its customers to follow the AWS Well-Architected Framework. Built on the six pillars of Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability, the Well-Architected Framework will help ensure your service is optimally positioned to capitalize on the groundwork Amazon has laid toward compliance.
AWS also features dedicated resources for businesses that wish to pursue Cloud Security Alliance Security Trust Assurance and Risk (CSA STAR) certification, including a completed CSA Consensus Assessments Initiative Questionnaire.
Country-Specific Resources
Compliance requirements vary depending on where you do business. AWS hosts a range of resources to educate customers on what AWS does to help them reach compliance and what they’ll need to do next, based on their location and industry.
- Cloud businesses operating in the financial sector must take special care to follow the dictates of both their home nation and anywhere they may offer their services. AWS offers a filterable list of over 60 countries, complete with information on which governmental bodies regulate financial businesses and key data privacy and protection considerations for companies that use AWS.
- Healthcare businesses must hew to similarly strict compliance standards, and AWS offers a country-by-country breakdown of global certifications and accreditations such as HIPAA, HITRUST, and GDPR.
- SOC reports and ISO 27001 certification information are both available on the AWS site.
AWS Compliant Frameworks
Amazon currently offers a pair of ready-to-deploy solutions for those in search of AWS compliant frameworks for security and governance:
- Landing Zone Accelerator on AWS, which deploys a cloud foundation built to align with AWS best practices and multiple global compliance frameworks.
- Verifiable Controls Evidence Store, which supports a mechanism to centrally store evidence issued by cloud security controls around AWS workloads.
AWS Compliance List of Services
Amazon Web Services provides certifications and attestations assessed by third-party, independent auditors. You can find more information about each of its certifications, audit reports, and attestations of compliance on the AWS Compliance Programs page. Meanwhile, if you’d like to learn about the generally available services AWS offers in the scope of its compliance programs, consult Amazon’s list organized by governing bodies.
Implement Compliance Frameworks in Weeks With DuploCloud
Even with extensive documentation, building your cloud service on AWS means you’re responsible for ensuring your infrastructure’s compliant controls translate to a compliant product. This can mean redirecting substantial resources at a crucial time in your product’s development. One compelling answer to this dilemma is to use a DevOps automation platform.
DuploCloud seamlessly provisions your cloud-native infrastructure with compliance from the beginning. We implement pre-programmed knowledge of more than 500 cloud services to automatically incorporate best practices around security, availability, and compliance, so you can focus your development resources on creating a standout product. If you’d like to see DuploCloud in action, sign up for a personalized one-on-one walkthrough today.