Page SEBI Requirement Requirem Responsible Control Remarks

#/Section ent Mapping

Execurtive
Summary -
9 The RE may opt for any model Process RE
of deployment on the basis of
its business needs and
technology risk assessment.
However, compliance should
be ensured with this cloud
framework as well as other
rules/ laws/ regulations/
circulars made by SEBI/
Government of India/
respective state government.

9 It is to be noted that although Process RE

the IT services/ functionality
may be outsourced (to a CSP),
RE is solely accountable for all
aspects related to the cloud
services adopted by it
including but not limited to
availability of cloud
applications, confidentiality,
integrity and security of its
data and logs, and ensuring

rules, regulations, circulars,

etc. issued by
SEBI/Government of India/
respective state government.
Accordingly, the RE shall be
responsible and accountable
for any violation of the same.
10 The cloud services shall be Complianc RE (CSP to AWS India has https://aws.a
taken only from the Ministry e ensure two regions, mazon.com/bl
of Electronics and Information MeiTY Mumbai is ogs/publicsect
Technology (MeitY) Empanelmen empaneled or/aws-
t) with MeiTY, achieves-full-
data center should hold a Hyderabad empanelment-
valid STQC (or any other being new for-the-
equivalent agency appointed region is delivery-of-
by Government of India) audit currently cloud-services-
status. For selection of CSPs under process by-indias-
offering PaaS and SaaS for MeiTY ministry-of-
services in India, RE shall empanelment. electronics-
choose only such CSPs which: Certification and-
1. Utilize the underlying for the same information-
infrastructure of MeitY will be technology/
empaneled CSPs for providing provided.
services to the RE. 2. Host the
application/ platform/
services provided to RE as well
as store/ process data of the
RE, only within the data
centers as empaneled by
MeitY and holding a valid
STQC (or any other equivalent
agency appointed by
Government of India) audit
status.
10 In a multi-tenant cloud Technical CSP to Customer https://d1.aws
architecture, adequate ensure environments static.com/whi
controls shall be provisioned Isolation, RE are logically tepapers/com
to ensure that data (in to validate & segregated to pliance/AWS_L
motion, at rest and in use) provision prevent users ogical_Separat
shall be isolated and their desired and customers ion_Handbook
inaccessible to any other controls from accessing .pdf
tenant. RE shall assess and resources not
ensure that the multi tenancy assigned to
segregation controls are them.
placed by CSP, and shall place Customers
additional security controls if maintain full
required. control over
who has access
 Different
instances
running on the
same physical
machine are
isolated from
each other via
the hypervisor.
In addition, the
Amazon EC2
firewall resides
within the
hypervisor
layer, between
the physical
network

Customer
instances have
no access to
physical disk
devices, but
instead are
presented with
virtualized
disks. The AWS
proprietary
disk
virtualization
layer
automatically
erases every
block of
10 Data shall be encrypted at all Technical RE AWS offers https://docs.a
lifecycle stages (at rest, in services & ws.amazon.co
motion and in use), source or mechanisms m/whitepaper
location to ensure the for data s/latest/introd
confidentiality, privacy and encryption. RE uction-aws-
integrity. as per their use security/data-
10 RE shall retain complete Technical RE Data https://aws.a
ownership of all its data, ownership & mazon.com/bl
encryption keys, logs etc. processing ogs/security/a
residing in cloud. controls ddressing-data-
 https://aws.a
mazon.com/co
mpliance/data-

https://aws.a
mazon.com/bl
ogs/security/t
10 Compliance with legal and Process RE
regulatory requirements,
including the requirements
provided in this framework,
has to be ensured by the RE at
all times.
10 The cloud deployments of RE Technical RE AWS provides
shall be monitored through mechanisms to
Security Operations Centre build &
(SOC) [in-house, third-party operate SOC,
SOC or a managed SOC]. there are also
10 The agreement between the Complianc RE & CSP AWS Customer https://aws.a
RE and CSP shall cover e Agreement & mazon.com/ag
security controls, legal and Shared reement/
regulatory compliances, clear Responsibility
demarcation of roles, and Model, Details
liabilities, appropriate services are covered in
and performance standards customer
etc. agreement as
https://aws.a
mazon.com/co
mpliance/shar
ed-
10 The reporting of compliance Process RE AWS provides https://aws.a
(with this framework) shall be mechanisms to mazon.com/co
done by the REs in their meet mpliance/
systems audit, cybersecurity compliance for
audit and VAPT reports, and it Security OF the
shall be done in the Cloud as well
standardized format notified as In the Cloud
by SEBI from time to time
e 2: Selection of Cloud Service Providers
21 The storage/ processing of Complianc RE AWS India has https://aws.a
data (DC, DR, near DR etc.) e two regions, mazon.com/bl
including logs and any other Mumbai is ogs/publicsect
data pertaining to RE in any empaneled or/aws-
form in cloud, should be done with MeiTY, achieves-full-
within the MeitY empaneled Hyderabad empanelment-
being new for-the-
valid STQC (or any other region is delivery-of-
equivalent agency appointed currently cloud-services-
by Government of India) audit under process by-indias-
status. for MeiTY ministry-of-
empanelment. electronics-
21 For selection of CSPs offering Complianc RE AWS India has https://aws.a
PaaS and SaaS services in e two regions, mazon.com/bl
India, the RE shall choose only Mumbai is ogs/publicsect
those CSPs which: empaneled or/aws-
with MeiTY, achieves-full-
Hyderabad empanelment-
being new for-the-
region is delivery-of-
currently cloud-services-
1. Utilize the underlying https://www.
infrastructure/ platform of meity.gov.in/c
only MeitY empaneled CSPs ontent/gi-
for providing services to RE. cloud-meghraj
2. Host the application/
platform/ services (DC, DR,
near DR, etc.) provided to the
RE as well as store/ process
data of the RE, only within the
data centers as empaneled by
MeitY and holding a valid
STQC (or any other equivalent
agency appointed by
Government of India) audit
status.
 3. Have a back-to-back, clear
and enforceable agreement
with their partners/ vendors/
sub-contractors (including
those that provide the
underlying infrastructure/
platform) for ensuring their
compliance with respect to
the requirements provided in
this framework including
those in Principles 6 (Security
Controls), 7 (Contractual and
Regulatory Obligations) and 8
(BCP, Disaster Recovery &
Cyber resilience).

21 The RE shall ensure that Complianc RE Data https://aws.a

storage/ processing/ transfer e Process Ownership & mazon.com/bl
of its data should be done related ogs/security/a
according to requirements decisions are ddressing-data-
provided in this framework as under RE's residency-with-
well as any other regulations/ control - aws
circulars/ guidelines issued by storage,
SEBI and any other processing &
Government authorities. lifecycle
management,

https://aws.a
mazon.com/co
mpliance/data-

https://aws.a
mazon.com/bl
ogs/security/t
Principle
3: Data
22 Data Ownership: The RE shall Complianc RE Data https://aws.a
retain the complete e Process Ownership & mazon.com/bl
ownership of all its data and related ogs/security/a
logs, encryption keys, etc. decisions are ddressing-data-
residing in cloud. The CSP shall under RE's residency-with-
be working only in a fiduciary control - aws
capacity. Therefore, the RE, storage,
SEBI and any other processing &
Government authority lifecycle
authorized under law, shall management,
always have the right to Encryption
access any or all of the data at
any or all point of time.

https://aws.a
mazon.com/co
mpliance/data-

https://aws.a
mazon.com/bl
ogs/security/t
22 Visibility: Whenever required Complianc CSP AWS supports https://aws.a
(by RE/ SEBI), the CSP shall e more security mazon.com/co
provide visibility to RE as well standards and mpliance/
compliance
infrastructure and processes, certifications
and its compliance to than any other
applicable policies and offering,
regulations issued by SEBI/ including PCI-
Government of India/ DSS,
respective state government. HIPAA/HITECH,
22 Data Localization: Complianc RE & CSP Data https://aws.a
e Ownership & mazon.com/bl
related ogs/security/a
decisions are ddressing-data-
In order to ensure that RE and

search and seizure are not

affected by adoption of cloud
services, the storage/
processing of data (DC, DR,
near DR etc.) including logs
and any other data/
information pertaining to RE
in any form in cloud shall be
done as per the following
conditions:
1. The data should reside/be https://aws.a
processed within the legal mazon.com/co
boundaries of India. mpliance/data-
2. However, for the investors
whose country of
incorporation is outside India,
the REs shall keep the original
data/ transactions/ logs,
available and easily accessible
in legible and usable form,
within the legal boundaries of
India.
The RE shall ensure that the https://aws.a
above-mentioned mazon.com/bl
requirements are fulfilled at ogs/security/t
all times during adoption/ ag/byok/
usage of cloud services.
22 It is to be noted that the REs Process RE RE to setup https://aws.a
are ultimately responsible and Complianc centralized mazon.com/co
accountable for security of e logging and mpliance/
their data (including logs)/ setup
applications/ services hosted permissions
in cloud as well as ensuring such that Logs
compliance with laws, rules, cannot be
regulations, etc. issued by tampered /
SEBI/ Government of India/ deleted.
respective state government.
Accordingly, RE shall put in
place effective mechanism to
continuously monitor the CSP
and comply with various
regulatory, legal and technical
requirements notified by SEBI
or any other Government
authority from time to time.

AWS provides
mechanism to
setup desired
Security
architecture
Security
27OF the Vulnerability Management Complianc RE & CSP AWS Security Details
and Patch Management: e performs available
regular under SOC 2
vulnerability Report (Page
scans on the 36)
host operating
systems, web
applications,
and databases
in the AWS
environment
using a variety
of tools
(Control
AWSCA-3.4).
AWS Security
1. RE shall ensure that CSP has https://aws.a
a vulnerability management mazon.com/se
process in place to mitigate curity/vulnera
vulnerabilities in all bility-
components of the services reporting/
that the CSP is responsible for
(i.e. managed by the CSP). The
RE shall assess and ensure
that the patch management
of CSP adequately covers the
components for which the CSP
is responsible (i.e.
components managed by the
CSP). The patch management
framework shall include the
timely patching of all
components coming under
the purview of CSP.

2. The RE shall also ensure

that CSP conducts
Vulnerability Assessment and
Penetration Testing (VAPT) for
the components managed by
the CSP and fixes the issues/
vulnerabilities within the
prescribed timelines (as
agreed upon by CSP and RE).

3. The RE shall also ensure

that the vulnerability
management, patch
management and VAPT
processes are conducted by
CSP in-line with the
requirements (for example
scope, classification of
vulnerabilities, duration for
closure, etc.) provided in
applicable circulars/
guidelines issued by SEBI.
28 Monitoring: RE shall ensure Complianc RE & CSP AWS utilizes a SOC2 Reports
that CSP has adequate e wide variety of (Page 80)
security monitoring solutions automated
in place. The monitoring monitoring
solutions of CSP shall be systems to
responsible for the following: provide a high
1. Monitoring shall cover all performance https://aws.a
components of the cloud. and mazon.com/ar
Additionally, the CSP shall availability. tifact/
continuously monitor the AWS defines a
alerts generated and take Security
appropriate actions as per the Incident as a
defined timelines. security-
related
adverse event
in which there
was a loss of
data
confidentiality,
disruption of
data or
systems
integrity, or
2. The RE shall ensure that any
event(s) which may have an
impact (financial,
reputational, operational,
etc.) on the RE shall be
intimated to RE by CSP in a
timely manner. The reporting
should be done in-line with
the guidelines/ regulations/
circulars issued by SEBI/
Government of India and
(wherever applicable) as per
the contractual agreement
signed between the CSP and
RE.
28 Incident Management: The RE Complianc CSP AWS has Detailed
shall ensure that the CSP has e implemented a process
incident management formal, covered in SOC
processes in place, to detect, documented 2 COMMON
respond and recover from any incident CRITERIA, SOC
incident at the earliest. The response 1&2
processes should aim to policy and CONTROLS
minimize the impact to the program. The
RE. policy
addresses
purpose,
scope, roles,
responsibilities
, and
management
commitment.
AWS utilizes a
wide variety of
automated
monitoring
systems to
provide a high
level of service
performance
and
availability.
AWS defines a
https://aws.a
mazon.com/ar

https://health.
aws.amazon.c
om/health/sta
28 Key Management: Wherever Complianc CSP AWS is https://aws.a
Key management is being e committed to mazon.com/ar
done by CSP for platform level protecting its tifact/
encryption (for example, full
disk encryption or VM level data and
encryption), RE shall assess maintaining
and ensure that the entire Key compliance
lifecycle management is being with applicable
done by CSP in a secure regulatory
manner. requirements.
This is
demonstrated
by the
consolidated
annual
operational
plan that
includes
regulatory and
compliance

SOC Report
28 & 29 Secure User Complianc RE & CSP While AWS Refer to the
Management:Wherever the e/Process follows Secure following AWS
user management is done by User Artifacts for
CSP, the RE shall ensure that Management additional
role based access and rule practice, CSP details: MTCS,
based access are strictly does not have HKMA TM-G-
followed by CSP for its users created 1, PCI 3.2, ISO
resources and it shall be based in REs 27001, ISO
on the principle of least enviornment. 27017, HIPAA,
privilege. The following shall IRAP, NIST 800-
also be ensured: 53 (FEDRAMP
1. Administrators and User access
privileged users shall be given privileges are
only minimal administrative restricted
capabilities for a pre-defined based on
time period, and in response business need
to specific issues/ needs. and job
responsibilities
. AWS employs
the concept of
least privilege,
allowing only
the necessary
access for
users to
accomplish
2. With respect to
administrative privileges/
users, the following shall also
be followed:
a. All administrative
privileges/ users shall be
tracked via a ticket/ request
by the CSP, and the same shall
be provided to the RE on
request. Further, the RE shall
also track any additional
privilege granted to any user
by the CSP.
b. Access to systems or
interfaces that could provide

granted only if the RE has

given explicit time-limited
permission for that access.
3. Multi Factor Authentication
shall be used for
administrator/ privileged
accounts.
4. The necessary auditing and
monitoring of the above shall
be done by CSP and any
anomalies shall be reported to
the RE.
29 Multi-Tenancy: In a multi- Complianc RE & CSP Security within SOC2 Reports
tenant cloud architecture, the e/Process Amazon EC2 is (Page 47, 69)
RE shall ensure that CSP has provided on
taken adequate controls to multiple levels:
the operating
transit, at rest and in use) system (OS) of
shall be isolated and the host layer,
inaccessible to any other the virtual
tenants. RE shall appropriately instance OS or
assess and ensure the multi guest OS, a
tenancy segregation controls firewall, and
placed by CSP and place signed API
additional security controls if calls. Each of
required. Any access by other these items
tenants/unauthorized access builds on the
capabilities of
data shall be considered as an the others.
incident/breach and the CSP This helps
shall ensure that the prevent data
incident/breach is notified to contained
the RE (as per the norms/ within Amazon
guidelines/ circulars issued by EC2 from being
SEBI/ Government of India intercepted by
and (wherever applicable) as unauthorized
per the contractual systems or
agreement signed between users and to
the CSP and RE, and adequate provide
AWS prevents
customers
from accessing
physical hosts
or instances
Amazon EC2 https://aws.a
provides a mazon.com/ar
complete tifact/
firewall
solution,
referred to as a
Security
Group; this

Amazon Virtual
 The objective
of this
architecture is
to isolate AWS
resources and
data in one
Amazon VPC
from another
Amazon VPC,
and to help
30 Safe Disposal: The RE shall Complianc RE & CSP Management SOC 2 Reports
ensure that the agreement e/Process of Media (Page 74)
with the CSP contains
clause(s) for safe deletion/

The clause should cover

various scenarios like business
requirement of RE, exit
strategy, etc.
When a
storage device
has reached
the end of its
useful life,
AWS
procedures
include a
decommissioni
ng process that
is designed to
prevent
unauthorized
access to
assets. AWS
uses
https://aws.a
mazon.com/ar
30 For further assurance, the RE Complianc RE & CSP AWS publish SOC 2
may assess the availability of e/Process SOC reports for Reports
global compliance standards REs
like SOC-2 reporting for CSP. consumption
 https://aws.a
mazon.com/ar
30 RE shall ensure that CSP has Complianc RE & CSP https://aws.am SOC 2 Reports
adequate controls (for e/Process azon.com/com (Page 76 & 77)
example anti-virus, encryption pliance/data-
of data, micro-segmentation, center/control
etc.) in place to safeguard s/
cloud infrastructure as well as
to ensure the privacy,
confidentiality, availability,
processing integrity and

from data
creation/transfer/etc. in the
cloud till final expunging of
data.

https://aws.a
mazon.com/ar
Security IN
The Cloud Vulnerability Management
31 Technical RE AWS provides AWS Inspector
and Patch Management: mechanisms of
Vulnerabblity
scanning &
patch
Management
The RE shall have a well-
defined Vulnerability
Management policy in place
and should strictly adhere
with the same. The policy
should also address the
vulnerability management
aspects of the infrastructure
/services /etc. managed by RE
in the cloud. The components
managed by RE shall be up to
date in terms of
patches/OS/version etc. The
patch management policy
shall also mandate timely
patch application.
 Or RE can bring AWS System
in their choice Manager

31 Vulnerability Assessment and Technical RE RE can bring in https://aws.a

Penetration Testing (VAPT): their own mazon.com/se
Penetration curity/penetra
The VAPT activity undertaken
by RE should cover the
infrastructure and
applications/services hosted
by the RE on cloud. The VAPT
tactics, tools and procedures
should be fine-tuned to test
and assess the cloud native
risks and vulnerabilities. VAPT
should also be conducted
before commissioning of any
new system. Additionally, the
VAPT activity shall be
conducted as per the
requirements (including
scope, classification, duration
for closure of vulnerabilities,
etc.) provided in applicable
circulars/ regulations issued
by SEBI.

31 Incident Management and Technical RE AWS provides AWS Security

SOC Integration: & process services & Incident
mechanism to Response
1. The RE shall have incident
management policy,
procedures and processes in
place. The RE shall adhere
with the same for
deployments being done in
cloud.
 2. SOC solution (in-house,
third-party SOC or a managed
SOC) of RE shall be integrated
with the services/ application/
infrastructure deployed by RE
in cloud. The continuous
monitoring shall be done in an
integrated manner and the
services/ application/
infrastructure deployed in
cloud should be treated as an

premise network. The SOC

shall have complete visibility
of information systems of the
RE deployed on cloud and
should be capable to take
SOAR actions across the
information systems owned
by the RE. Additionally, only
logs, meta-data should be
shipped to shared SOC. REs
shall ensure that PII/sensitive
data should not be shipped to
the SOC.
32 Continuous Monitoring: Technical RE AWS provides Amazon
mechanisms to Cloudwatch, A
continuously WS Control
monitor REs Tower AWS
environment Security
Continuous monitoring shall
be done by the RE to review
the technical, legal and
regulatory compliance of CSP
and take corrective measures/
ensure CSP takes corrective
measures wherever
necessary.
32 Secure User Management: Technical RE AWS provides AWS Identity
mechanism for & Access
granular access Management
control, Least
 The RE shall ensure that the
following Identity,
Authentication and
Authorization practices are
followed (by CSP as well as by
RE):
1. Principle of least privilege
shall be adopted for granting
access to any resources for
normal and admin/privileged
accounts.
2. The identity and access
management solution should
give the complete view of the
access permissions applicable
to all resources. The access
permissions shall be reviewed
regularly in order to remove
any unwanted access.

3. The access logs should be

retained and reviewed
frequently for any anomalous
events.
4. Time bound access
permissions shall be adopted
wherever feasible.
5. Multi factor authentication
shall be adopted for admin
accounts.
33 Management interface: Technical RE AWS Provides
MFA at
1. This is the interface Dedicated
provided to the RE by CSP to Network
manage the infrastructure on connectivity
cloud. This interface is also with Direct
used to manage the account Connect
of the RE assigned by CSP. service, User &
 2. To mitigate the risks, the AWS Identity
interface shall have Two & Access
Factor Authentication (2FA)/ Management
Multi Factor Authentication
(MFA). For additional security,
measures such as dedicated
lease lines may be explored.
The access logs and access list
to the interface should be
strictly monitored (by RE and
CSP). The traffic to and from
the interface shall be
regulated through firewall,
Intrusion prevention system,
etc.
AWS also AWS
offers Intrution CloudTrail
AWS Network
33 Internet facing interfaces: Technical RE Amazon AWS Network
provides native Firewall
Firewall
services (Web
Firewall &
Network
Firewall) - or
RE can also
Any interface which is AWS WAF
exposed to public at large on
the internet in the form of a
service/API/etc. is considered
as internet facing interface.
Adequate security controls
such as IPS, Firewall, WAF,
Anti DDOS, API gateways etc.
should be in place and
additional controls such as
2FA authentication, SSL VPN
solutions shall also be
considered.
AWS Shield
33 Interfaces connected between Technical RE AWS Network AWS Network
Firewall/3rd Firewall
(Through P2P or LAN/MPLS party firewall,
etc.) and CSP: Amazon
Security controls such as IPS, AWS WAF
Firewall, WAF, Anti DDOS, etc.
shall be in place and
additional controls such as
IPSEC VPN shall be adopted,
wherever necessary, to secure
such interfaces.
AWS Shield
33 Secure Software Technical RE AWS AWS
Development: recommends Developer
using secure Tools
code
development
RE shall adopt appropriate
Secure Software Development
processes, and security shall
be an integral part right from
the design phase itself.

34 Secure Software Technical RE AWS AWS

Development: recommends Developer
using secure Tools
code
development
A new approach for secure
software development shall
be implemented by RE for
dealing with cloud native
development concepts such as
micro services, APIs,
containers, server less
architecture, etc. as the
traditional security
mechanisms of protecting
typical web applications might
not be relevant for cloud
native development concepts.
34 Secure Software Technical RE AWS is built on AWS Zero
Development: zero-trust Trust
Best practices such as zero
trust principles, fine grained
access control mechanism, API
Gateways, etc. shall be
adopted for development and
usage of APIs. End to end
security of the APIs shall also
be taken care by the RE as per
standard practices and
guidelines.
34 Secure Software Technical AWS is built on AWS Zero
Development: zero-trust Trust
Secure identification,
authentication and
authorization mechanisms
shall be adopted by the RE.
34 Managed Service Provider Complianc RE AWS Solution
(MSP) & System Integrator e& Architect team
(SI): Process provide
1. Wherever MSP and SI are
involved in cloud services
procurement, a clear
demarcation of roles, and
liabilities shall be clearly
defined in the
Agreement/Contract.
2. As there are new risks
introduced in engaging
MSP/SI or both, the same
shall be assessed, and
mitigated by the RE.
34 & 35 Encryption and Cryptographic Technical RE AWS KMS & AWS BYOK
Key Management: AWS
Certificate
i. To ensure the AWS Nitro
confidentiality, privacy and provides
integrity of the data, Confidental
encryption as defined below computing
shall be adopted by the RE:
 1. Data-at-rest encryption to Confidential
be done with strong Computing
encryption algorithms. Data
object encryption, file level
encryption or tokenization in
addition to the encryption
provided at the platform level
shall be used.
2. Data-in-motion including
the data within the cloud shall
be encrypted. Session
encryption or data object
encryption in addition to the
encryption provided at the
platform level (Ex. TLS
encryption) shall be used
wherever any sensitive data is
in transit.
3. Data-in-use i.e., wherever
data that is being used or
processed in the cloud,
confidential computing
solutions shall be
implemented.
35 Encryption and Cryptographic Technical RE & CSP AWS supports AWS BYOK
Key Management: BYOK both in
KMS as well as

encryption and Key

management, the following
shall be followed:
1. Wherever applicable:

(BYOK) approach shall be

adopted, which ensures that
the RE retains the control and
management of cryptographic
keys that would be uploaded
to the cloud to perform data
encryption.
 shall be followed by the RE.
2. In case BYOK and BYOE
approaches (as given above)
are not implemented by RE,
the RE shall conduct a detailed
risk assessment and
implement appropriate risk
mitigation measures to
achieve equivalent
functionality/ security to BYOK
and BYOE approaches.
3. Generating, storing and
managing the keys in a
Hardware Security Module
(HSM) shall be implemented
in a dedicated HSM to have
complete control of Key
management. However, it is
to be noted that HSM should
be designed in fault tolerance
mode to ensure that the
failure of HSM should not
have an impact on data
retrieval and processing.

36 End Point Security: Technical RE AWS provides AWS

native Marketplace
capability for
Malware
detection as
 The RE shall ensure that the
data security controls in the
nature of anti-virus, Data Leak
Prevention (DLP) solution etc.
are installed and configured
on the cloud deployments for
effective data security. The RE
shall also evaluate the
baseline security controls
provided by the CSP and may
demand additional controls
(from CSP) if required.

36 Network Security: Technical RE Considered as Refer to AWS

1. RE shall adopt the micro
segmentation principle on
cloud infrastructure. Only the
essential communication
channels between computing
resources shall be allowed and
the rest of the communication
channels shall be blocked.

2. RE shall also consider the

option of utilizing Cloud
Access Security Broker (CASB)/
Secure Access Service Edge
(SASE)/ similar frameworks or
tools for effective monitoring
of network, enforcement of
policies etc.

36 Backup and recovery Technical RE AWS Provides AWS Backup

solution: native &
1. The RE shall ensure that a
backup and recovery policy is
in place to address the backup
requirement of cloud
deployments. The backup and
recovery processes shall be
checked at least twice in a
year to ensure the adequacy
of the backups.
 2. The backup shall be logically
segregated from
production/dev/UAT
environment to ensure that
the malware infection in such
systems does not percolate to
backup environment.

services are utilized, adequate

care should be taken with
encryption solution and Key
management.

36 Skillset: Process RE AWS provides AWS Training

consultantion, & Certification
Implementatio
n support with
AWS
RE shall equip staff overseeing
cloud operations with the
knowledge and skills required
to securely use and manage
the risks associated with cloud
computing. The skills should
also be imparted to oversee
the management interfaces,
security configurations etc. of
CSP infrastructure. This is a
critical factor as it will reduce
the misconfigurations,
vulnerabilities etc. and will
increase the reliability of
services.
37 Breach Notification: Complianc CSP AWS has SOC2 Report
e documented (Page 80)
an incident
response
policy and plan
which outlines
an organized
approach for
responding to
security
breaches and
incidents. The
AWS Security
team is
CSP shall notify the RE of any As part of the
cybersecurity incident (for process,
example data breach, potential
ransomware, etc.) as breaches of
mandated by the RE. The customer
reporting shall be done as per content are
the norms/ guidelines/ investigated
circulars issued by SEBI/ and escalated
Government of India and to AWS
(wherever applicable) as per Security and
the contractual agreement AWS Legal.
signed between the CSP and Affected
RE. The CSP shall provide all customers and
related forensic data, reports regulators are
and event logs as required by notified of
RE/ SEBI/ CERT-In/ any other breaches and
government agency. The incidents
incident shall be dealt as per where legally
the Security Incident required.
Management Policy of the RE Customers can
along with the relevant subscribe to
guidelines/ directions issued the AWS
by SEBI/ Government of India/ Security
respective state government. Bulletins page,
which provides