9H

DOCUMENT STRUCTURE
The requested document is appended to this terms and conditions page. This document

wr
contains supplementary attachments. To access the supplementary attachments, you must open
this document in an application that supports PDF attachments. See the AWS Artifact User Guide
for instructions on how to open attachments.

qm
TERMS AND CONDITIONS
You hereby agree that you will not distribute, display, or otherwise make this document available
to an individual or entity, unless expressly permitted herein. This document is AWS Confidential

eF
Information (as defined in the AWS Customer Agreement), and you may not remove these terms
and conditions from this document, nor take excerpts of this document, without Amazon’s

zp
express written consent. You may not use this document for purposes competitive with Amazon.
You may distribute this document, in its complete form, upon the commercially reasonable
request by (1) an end user of your service, to the extent that your service functions on relevant

6E
AWS offerings provided that such distribution is accompanied by documentation that details the
function of AWS offerings in your service, provided that you have entered into a confidentiality
agreement with the end user that includes terms not less restrictive than those provided herein

8P
and have named Amazon as an intended beneficiary, or (2) a regulator, so long as you request
confidential treatment of this document (each (1) and (2) is deemed a “Permitted Recipient”).
You must keep comprehensive records of all Permitted Recipient requests, and make such records
UD
available to Amazon and its auditors, upon request. You further (i) acknowledge and agree that
you do not acquire any rights against Amazon’s Service Auditors in connection with your receipt
or use of this document, and (ii) release Amazon’s Service Auditor from any and all claims or
yU

causes of action that you have now or in the future against Amazon’s Service Auditor arising from
this document. The foregoing sentence is meant for the benefit of Amazon’s Service Auditors,
who are entitled to enforce it. “Service Auditor” means the party that created this document for
ZT

Amazon or assisted Amazon with creating this document.

eu
o1
n-
ke
-to
rm
te
 9H
wr
AWS Customer Compliance Guides

qm
June 2024

eF
zp
6E
8P
UD
yU
ZT
eu
o1
n-
ke
-to
rm
te

1
TERMS OF USE

9H
Customers are responsible for making their own independent assessment of the information in this CCG. This CCG: (a) is
provided for informational purposes only, (b) represents current AWS product offerings and practices at the time of
publication, which are subject to change without notice, and (c) does not create any commitments or assurances from

wr
AWS and its affiliates, suppliers or licensors.

This CCG does not constitute legal or compliance advice. This CCG is provided “as is” and AWS disclaims all warranties,
representations, or conditions of any kind, whether express, implied, statutory, or otherwise relating to this CCG. AWS

qm
specifically disclaims all implied warranties of merchantability, fitness for a particular purpose, title, and non-
infringement, and all warranties arising from course of dealing, usage, or trade practice with respect to all use of this
CCG. For avoidance of doubt, AWS does not warrant that any information contained in this CCG, or any use of or any

eF
results of the use of this CCG, will meet customer’s or any other person’s requirements or objectives, achieve any
intended result, or be accurate, complete, or error free. The responsibilities and liabilities of AWS to its customers are
controlled by AWS agreements. This document is not part of and does not modify any agreement between AWS and its

zp
customers.

In no event will AWS be liable in connection with any use of this CCG under any legal or equitable theory, including

6E
breach of contract, tort (including negligence), strict liability, and otherwise, including without limitation for any (a)
consequential, incidental, indirect, exemplary, special, enhanced, or punitive damages, (b) increased costs, diminution in
value, or lost business, production, revenues, or profits, (c) loss of goodwill or reputation, (d) use, inability to use, loss,

8P
interruption, delay, or recovery of any data or breach of data or system security, or (e) cost of replacement goods or
services, in each case regardless of whether AWS was advised of the possibility of such losses or damages or such losses
or damages were otherwise foreseeable.
UD
NOTICES
By opening or using this Customer Compliance Guide (CCG) document, you agree to the Terms of Use set forth below. If
yU

you do not wish to adhere to the Terms of Use, do not open or use this CCG document.

This CCG is intended to serve as an informative resource for customers leveraging the shared responsibility model in
ZT

navigating their security compliance needs. The CCG is derived from AWS Service User Guides and is designed to
provide a consolidated view of AWS security practices based on the configurable options applicable to a service, related
compliance topics and control requirements. Customers may use this CCG to facilitate an understanding AWS’s current
eu

product offerings and practices as of the date of issue of this CCG.

The CCG is not designed to address all aspects of a given compliance framework or all possible configurable options for a
o1

service. Customers are responsible for determining compliance requirements and validating control implementation in
accordance with their organization’s policies, requirements and objectives. The security practices described in this CCG
may not represent the best course of action for every organization.
n-

Instructions for Opening AWS Customer Compliance Guides

ke

1. First, download this document

2. Open with Adobe Acrobat (preferred) or your alternate PDF viewer
-to

3. Next, double click the paper clip icon to open the AWS Customer Compliance Guides

Note: Some products referenced in this CCG may not yet be in scope for a particular compliance program or in a certain
region. Refer to the AWS Services in Scope page for a list of services in scope by compliance program.
rm
te

2
We encourage you to share feedback on your experience using CCGs and your recommendations for improvements in
our CCG Survey. You can also email us at [email protected]. To learn more about the background of CCGs and

9H
how best to use them, see the YouTube video Simplify the Shared Responsibility Model.

CCGs are built by the AWS Global Security and Compliance Acceleration (GSCA) Program. We help customers meet their

wr
security and compliance authorization goals by connecting them with AWS Partners and offering one-on-one sessions
with AWS Security Strategists and Solution Architects. If you need assistance with achieving compliance certifications,
please fill out this form to engage us.

qm
About Customer Compliance Guides
Customer Compliance Guides help customers address three primary challenges:

eF
1. Explaining how configuration responsibility might vary depending on the service and summarizing security best
practice guidance through the lens of compliance
2. Assisting customers in determining the scope of their security or compliance assessments based on the services

zp
they use to run their workloads
3. Providing customers with guidance to craft security compliance documentation that might be required to meet

6E
various compliance frameworks

CCGs map key details from public AWS user guides to industry-leading control framework requirements. The scope of

8P
CCGs is concentrated to address technical security controls implemented within AWS accounts. This makes the guides
lightweight and focused on the unique security considerations for individual AWS services.
UD
Customer Compliance Guides work backwards from security configuration recommendations for each service and map
the guidance and compliance considerations to the following frameworks:

• NIST 800-53 Rev5 • Payment Card Industry Data Security

yU

• NIST Cybersecurity Framework (CSF) Standard (PCI-DSS) v4.0

• NIST 800-171 • Department of Defense Cybersecurity
• System and Organization Controls (SOC) II Maturity Model Certification (CMMC)
ZT

• Center for Internet Security (CIS) Critical • New York Dept. of Financial Service
Controls v8.0 Cybersecurity Regulation (NYDFS)
• ISO 27001 • Federal Financial Institutions Examination
eu

• IRAP (Australian ISM) Council Cybersecurity Assessment Tool

• Canadian Centre for Cyber Security (CCCS) (FFIEC)
• Cloud Security Alliance (CSA) CCM v-4 • Cloud Computing Compliance Criteria
o1

• NERC Critical Infrastructure Protection Catalogue – C5:2020

(CIP) • MPA Content Security Best Practices v-5.2
• HIPAA
n-
ke
-to
rm
te