Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How do AWS compliance certifications stack up?

We're a global company that needs to be sure our cloud-based workloads meet a variety of compliance standards. What certifications do AWS and other public cloud providers meet?

Amazon Web Services maintains a wide selection of compliance and security options that address both domestic and...

global regulations. There are several different ways in which AWS adheres to compliance, though the cloud provider may not hold a certification for every regulation or standard.

Some compliance certifications are confirmed through instruments such as letters of compliance. These are the results of independent inspections confirming AWS has successfully met the requirement objectives of certain regulations. For example, AWS reports a letter of compliance for the Australian Government's Information Security Manual, a letter of certification for Australian Signals Directorate controls and an independent audit of Service Organization Controls 3 adherence. The Multi-Tier Cloud Security Standard Level-3 Certification meets Singapore Standard 584:2013. AWS, in particular, is certified to several international standards including ISO 9001 for quality management, ISO 27001 targeting information security and ISO 27018 for cloud privacy.

In addition to these certifications, AWS also provides different "assurance programs," which are intended to validate the business compared to established domestic and global compliance standards, though don't convey the actual certification. For example, AWS manages a PCI DSS assurance program, but this only validates that the services are PCI-compliant; it's up to the actual merchant to obtain PCI certification. However, AWS does provide services that are consistent with the merchant's processing and data storage regulatory requirements. Similarly, AWS manages a Health Insurance Portability and Accountability Act (HIPAA) assurance program for healthcare organizations, but AWS is not HIPAA-certified.

There are other examples where AWS meets compliance requirements without holding a direct certification. AWS is a FedRAMP-compliant cloud service provider with authorization from the U.S. Department of Health and Human Services.

The public cloud provider also complies with Criminal Justice Information Services security policy requirements and with NIST 800-171 guidelines for the protection of controlled unclassified information on nonfederal systems. And it complies with the Family Educational Rights and Privacy Act of 1974 and may support use by educational agencies and institutions.

AWS also meets the requirements of the following organizations and associations, among others:

  • E.U. Directive 95/46/EC
  • Department of Defense (DoD) provisional authorizations at level 2 and level 4
  • G-Cloud in the U.K., Service Organization Control (SOC) 1 and 2
  • International Traffic in Arms Regulations
  • Federal Information Processing Standard (FIPS)
  • DoD Information Assurance Certification and Accreditation Process (DIACAP)
  • Food and Drug Administration (FDA)
  • Motion Picture Association of America
  • Cloud Security Alliance (CSA)

It's worth reviewing the complete list of current AWS certifications and assurance programs periodically to check for changes or additions. AWS also communicates with its customers to determine their needs in an attempt to implement those compliance suggestions.

Where AWS, Azure and Google stand on compliance
AWS is not the only public cloud provider to address enterprise compliance concerns. While AWS lists 25 separate certification and assurance programs, Microsoft Azure lists 27 certifications and programs.

Azure meets many of the same compliance standards as AWS does, including ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2. Additionally, Azure undergoes third-party audits to verify strict security controls remain in place, and Microsoft offers those audit results to its cloud customers.

Microsoft also claims to be the first cloud provider to adopt the uniform international code of practice for cloud privacy, ISO/IEC 27018. Like AWS, Azure also holds compliance certifications with the EU, FIPS, DIACAP, FDA and CSA.

Google appears to take a more modest approach, listing independent audits for just six certification or compliance programs. But don't focus on numbers. The number of supported compliance programs will inevitably change over time.

Ultimately, the total number of compliance programs that a cloud provider sponsors isn't important. What really matters is that the provider meets the requirements of standards and compliance certifications that your business needs. Before evaluating or engaging a public cloud provider, determine the regulations that affect your business or industry, and then use those criteria to help narrow the provider search.

Next Steps

Knowledge powers developers in building compliant apps

AWS security and compliance trusted by enterprises

Startups should mitigate compliance and security risks

This was last published in November 2015

Dig Deeper on AWS security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which compliance certifications are most important to you?
Cancel

-ADS BY GOOGLE

SearchCloudApplications

TheServerSide.com

SearchSoftwareQuality

SearchCloudComputing

Close