AWS Compliance Programs

Scroll

The AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance of the cloud. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance Enablers build on traditional programs, helping customers to establish and operate in an AWS security control environment.

IT standards we comply with are broken out by Certifications and Attestations; Laws, Regulations and Privacy; and Alignments and Frameworks. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. AWS customers remain responsible for complying with applicable compliance laws, regulations and privacy programs. Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function.

Global

CSA Logo

CSA

Cloud Security Alliance Controls

CyberGRX Logo

CyberGRX

Third Party Risk Management

CyberVadis Logo

CyberVadis

Third Party Risk Management

ISO 9001

Global Quality Standard

ISO 14001

Environmental management systems

ISO 20000

Service Management

ISO 22301

Security and Resilience

ISO 27001

Security Management Controls

ISO 27017

Cloud Specific Controls

ISO 27701

Privacy Information Management

ISO 27018

Personal Data Protection

ISO 50001

Energy Management

PCI DSS Level 1 Logo

PCI DSS Level 1

Payment Card Standards

AICPA SOC Logo

SOC 1

Audit Controls Report

AICPA SOC Logo

SOC 2

Security, Availability, & Confidentiality Report

AICPA SOC Logo

SOC 3

General Control Report

Americas

Canadian Flag

CCCS

Canadian Centre for Cyber Security (CCCS) Assessment

Detective Icon

CJIS

Criminal Justice Information Services

Eagle

CMMC

Cybersecurity Maturity Model Certification

Eagle

DFARS

Defense Federal Acquisition Regulation Supplement

Eagle

DoD SRG

Department of Defense Data Processing

FedRAMP Logo

FedRAMP

Government Data Standards

Department of Education Logo

FERPA

Educational Privacy Act

FIPS logo

FIPS

Government Security Standards

FISMA logo

FISMA

Federal Information Security Management

GxP logo

GxP

Quality Guidelines and Regulations

HIPAA logo

HIPAA

Protected Health Information

HITRUST logo

HITRUST CSF

Health Information Trust Alliance Common Security Framework

US Department of State logo

ITAR

International Traffic in Arms Regulations

MPAA logo

MPAA

Protected Media Content

NIST logo

NIST

National Institute of Standards and Technology

Canadian Flag

PIPEDA

Canada’s Federal Private Sector Privacy Legislation

SEC logo

SEC Rule 17a-4(f)

Recordkeeping Rules

VPAT logo

VPAT / Section 508

Accessibility Standards

Asia Pacific

FinTech logo

FinTech

Reference Architecture in Japan

Japanese flag

FISC

Center for Financial Industry Information Systems in Japan

IRAP logo

IRAP

Security Standards in Australia

Japanese flag

ISMAP

Government program to assess security of public cloud services in Japan

India flag

ISO 20000

Service Management

K-ISMS logo

K-ISMS

Information Security in Korea

Medical Information Guidelines logo

Medical Information Guidelines

Guidelines in Japan

Ministry of Electronics and Information Technology

MeitY

Ministry of Electronics and Information Technology

iDA Singapore logo

MTCS Tier 3

Multi-Tier Cloud Security Standard in Singapore

NISC logo

NISC

National Center of Incident Readiness and Strategy for Cybersecurity in Japan

Singapore flag

OSPAR

Outsourcing Guidelines in Singapore

Indonesia flag

SNI 27001

Standar Nasional Indonesia

Europe, Middle East & Africa

Dutch flag

BIO Thema-uitwerking Clouddiensten

The Baseline Informatiebeveiliging Overheid (BIO) Thema-uitwerking Clouddiensten in the Netherlands

C5 logo

C5

Operational Security Attestation in Germany

CISPE logo

Data Protection Code of Conduct

Cloud Infrastructure Services Providers in Europe (CISPE)

cpstic logo

CPSTIC

Spanish National Cryptologic Center (CCN) STIC Products and Services Catalogue (CPSTIC)

Cyber Essential Plus logo

Cyber Essentials Plus

Cyber Threat Protection in the UK

DESC logo

DESC CSP

Dubai Electronic Security Centre Cloud Service Provider Security Standard

ENS High logo

ENS High

Government Standards in Spain

Swiss Flag

FINMA ISAE 3000 Type 2 Report

Attestation for Swiss Financial Market Supervisory Authority Circulars

UK flag

G-Cloud

Government Standards in the UK

GNS logo

GNS

National Restricted certified by National Security Office Portugal

GSMA logo

GSMA

GSM Association

French flag

HDS

Personal Health Data Protection in France

IAT logo

IAR

United Arab Emirates Information Assurance Regulation

National Health Service (NHS) logo

NHS DSPT

National Health Service Data Security and Protection Toolkit

UK flag

PASF

Police-Assured Secure Facilities

PINAKES logo

Pinakes

Banking association CCI - Third Party Qualification

Finland flag

PiTuKri ISAE 3000 Type II Report

Criteria for Assessing the Information Security of Cloud Services

TiSAX logo

TiSAX

Automotive Industry Standard

Resources

 GDPR Center  Data Privacy FAQ  EU Data Protection

Certifications / Attestations:

Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.

 BIO Thema-uitwerking Clouddiensten
 C5
 CMMC
 Cyber Essentials Plus
 DoD SRG
 ENS High
 FedRAMP
 FINMA
 FIPS
 GSMA
 HDS
 IRAP
 ISMAP
 ISO 9001
 ISO 27001
 ISO 27017
 ISO 27018
 K-ISMS
 MTCS Tier 3
 OSPAR
 PCI DSS Level 1
 SOC 1
 SOC 2
 SOC 3
 TISAX

Laws / Regulations:

AWS customers remain responsible for complying with applicable compliance laws and regulations. In some cases, AWS offers functionality (such as security features), enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Addendum) to support customer compliance.

No formal certification is available to (or distributable by) a cloud service provider within these law and regulatory domains.

 CLOUD Act
 HIPAA
 IRS 1075
 ITAR
 SEC Rule 17a-4(f)
 VPAT / Section 508

Alignments / Frameworks:

Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function. AWS provides functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers) for these types of programs.

Requirements under specific alignments and frameworks may not be subject to certification or attestation; however, some alignments and frameworks are covered by other compliance programs.

 CJIS
 CSA
 EU-U.S. Data Privacy Framework
 FinTech – Japan
 FISC
 FISMA
 G-Cloud
 GxP (FDA CFR 21 Part 11)
 HITRUST
 Medical Information Guidelines – Japan
 MPAA
 NISC – Japan
 NIST
 Uptime Institute Tiers

Privacy

At AWS, customer trust is our top priority. We deliver services to millions of active customers, including enterprises, educational institutions, and government agencies in over 190 countries. Our customers include financial services providers, healthcare providers, and governmental agencies, who trust us with some of their most sensitive information.

Americas

 Argentina Data Privacy  Brazil Data Privacy  California Consumer Privacy Act (CCPA)  Canada Data Privacy  FERPA

Asia Pacific

 Australia Data Privacy  Hong Kong Data Privacy  India Data Privacy  Indonesia Data Privacy  Japan Data Privacy  Korea Data Privacy  Malaysia Data Privacy  New Zealand Data Privacy  Philippines Data Privacy  Singapore Data Privacy  Taiwan Data Privacy  Thailand Data Privacy

Europe, Middle East & Africa

 Cloud Computing Compliance Controls Catalog (C5)  Cloud Infrastructure Services Providers in Europe (CISPE)  EU Data Protection  EU-U.S. Data Privacy Framework  General Data Protection Regulation (GDPR)  South Africa Data Privacy
Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »