Gw

DOCUMENT STRUCTURE
The requested document is appended to this terms and conditions page. This document
contains supplementary attachments. To access the supplementary attachments, you must open

A7
this document in an application that supports PDF attachments. See the AWS Artifact User Guide
for instructions on how to open attachments.

7
TERMS AND CONDITIONS

g1
You hereby agree that you will not distribute, display, or otherwise make this document available
to an individual or entity, unless expressly permitted herein. This document is AWS Confidential
Information (as defined in the AWS Customer Agreement), and you may not remove these terms

Rw
and conditions from this document, nor take excerpts of this document, without Amazon’s
express written consent. You may not use this document for purposes competitive with Amazon.
You may distribute this document, in its complete form, upon the commercially reasonable
request by (1) an end user of your service, to the extent that your service functions on relevant

ab
AWS offerings provided that such distribution is accompanied by documentation that details the
function of AWS offerings in your service, provided that you have entered into a confidentiality

gv
agreement with the end user that includes terms not less restrictive than those provided herein
and have named Amazon as an intended beneficiary, or (2) a regulator, so long as you request
confidential treatment of this document (each (1) and (2) is deemed a “Permitted Recipient”).
e9
You must keep comprehensive records of all Permitted Recipient requests, and make such records
available to Amazon and its auditors, upon request. You further (i) acknowledge and agree that
you do not acquire any rights against Amazon’s Service Auditors in connection with your receipt
m

or use of this document, and (ii) release Amazon’s Service Auditor from any and all claims or
causes of action that you have now or in the future against Amazon’s Service Auditor arising from
kc

this document. The foregoing sentence is meant for the benefit of Amazon’s Service Auditors,
who are entitled to enforce it. “Service Auditor” means the party that created this document for
I6

Amazon or assisted Amazon with creating this document.

EK
zz
n-
ke
-to
mr
te
 Gw
7 A7
g1
Rw
ab
gv
System and Organization Controls 1 (SOC 1) Type 2 Report
e9
Description of the Amazon Web Services System
m

For the Period July 1, 2023 to June 30, 2024

kc
I6
EK
zz
n-
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
 Gw
7 A7
Description of the Amazon Web Services System

g1
Table of Contents

Rw
SECTION I – Assertion of Amazon Web Services ....................................................................................... 3
SECTION II – Independent Service Auditor’s Assurance Report .............................................................. 11

ab
SECTION III – Description of the Amazon Web Services System .............................................................. 20
Amazon Web Services System Overview ........................................................................................... 21
A. Policies................................................................................................................................... 28

gv
B. Communications .................................................................................................................... 32
C. Service Commitments and System Requirements ................................................................... 32
e9
D. Procedures ............................................................................................................................. 34
E. Monitoring ............................................................................................................................. 84
m

Control Objectives and Related Controls ........................................................................................... 86

Complementary User Entity Controls ................................................................................................ 86
kc

SECTION IV – Description of Control Objectives, Controls, Tests, and Results of Tests ............................ 89
Testing Performed and Results of Entity-Level Controls ..................................................................... 90
I6

Procedures for Assessing Completeness and Accuracy of Information Provided by the Entity (IPE) .... 90
EK

Control Objectives and Related Controls ........................................................................................... 90

Information System Control Environment ......................................................................................... 91
Control Objective 1: Security Organization ..................................................................................... 91
zz

Control Objective 2: Employee User Access ................................................................................... 95

Control Objective 3: Logical Security ............................................................................................ 100
n-

Control Objective 4: Secure Data Handling ................................................................................... 115

Control Objective 5: Physical Security and Environmental Protection ........................................... 126
ke

Control Objective 6: Change Management................................................................................... 134

Control Objective 7: Data Integrity, Availability and Redundancy ................................................. 138
-to

Control Objective 8: Incident Handling ......................................................................................... 147

Control Objective 9: Security ....................................................................................................... 148
m

SECTION V – Other Information Provided By Amazon Web Services..................................................... 154

APPENDIX – Glossary of Terms ............................................................................................................ 157
r
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
2
 Gw
7 A7
g1
Rw
ab
gv
e9
m

SECTION I – Assertion of Amazon Web Services

kc
I6
EK
zz
n-
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
3
 Amazon Web Services
410 Terry Avenue North

Gw
Seattle, WA 98109-5210

Amazon Web Services’ Management Assertion

A7
We have prepared the description of Amazon Web Services, Inc.’s (AWS) system entitled, “Description of
the Amazon Web Services System” (Description) for providing cloud computing services throughout the
period July 1, 2023 to June 30, 2024 for user entities of the system during some or all of the period July 1,

7
2023 to June 30, 2024, and their auditors who audit and report on such user entities’ financial statements

g1
or internal control over financial reporting and have a sufficient understanding to consider the
Description, along with other information, including information about controls implemented by user
entities of the system themselves, when assessing the risks of material misstatements of user entities’

Rw
financial statements.

The scope of this system description includes the following services:

• Amazon API Gateway • AWS Amplify

ab
• Amazon AppFlow • AWS App Mesh
• Amazon AppStream 2.0 • AWS App Runner
• Amazon Athena • AWS AppFabric

gv
• Amazon Augmented AI [Excludes Public • AWS Application Migration Service
Workforce and Vendor Workforce for all • AWS AppSync
•
features]
e9 AWS Artifact
• Amazon Bedrock • AWS Audit Manager
• Amazon Braket • AWS Backup
m
• Amazon Chime • AWS Batch
• Amazon Chime SDK • AWS Certificate Manager (ACM)
•
kc

Amazon Cloud Directory • AWS Chatbot

• Amazon CloudFront [excludes content • AWS Clean Rooms
delivery through Amazon CloudFront • AWS Cloud Map
I6

Embedded Point of Presences] • AWS Cloud9

• Amazon CloudWatch • AWS CloudFormation
EK

• Amazon CloudWatch Logs • AWS CloudHSM

• Amazon CodeWhisperer • AWS CloudShell
• Amazon Cognito • AWS CloudTrail
• Amazon Comprehend •
zz

AWS CodeBuild
• Amazon Comprehend Medical • AWS CodeCommit
• Amazon Connect • AWS CodeDeploy
n-

• Amazon Data Firehose • AWS CodePipeline

• Amazon DataZone • AWS Config
•
ke

Amazon Detective • AWS Control Tower

• Amazon DevOps Guru • AWS Data Exchange
• Amazon DocumentDB [with MongoDB • AWS Database Migration Service (DMS)
-to

compatibility] • AWS DataSync

• Amazon DynamoDB • AWS Direct Connect
• Amazon DynamoDB Accelerator (DAX) • AWS Directory Service [Excludes Simple AD]
m

• Amazon EC2 Auto Scaling • AWS Elastic Beanstalk

• Amazon Elastic Block Store (EBS) • AWS Elastic Disaster Recovery
r
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
4
 Amazon Web Services
410 Terry Avenue North

Gw
Seattle, WA 98109-5210

• Amazon Elastic Compute Cloud (EC2) • AWS Elemental MediaConnect

• Amazon Elastic Container Registry (ECR) • AWS Elemental MediaConvert

A7
• Amazon Elastic Container Service [both • AWS Elemental MediaLive
Fargate and EC2 launch types] • AWS Entity Resolution
• Amazon Elastic File System (EFS) • AWS Fault Injection Service

7
• Amazon Elastic Kubernetes Service (EKS) • AWS Firewall Manager

g1
[both Fargate and EC2 launch types] • AWS Global Accelerator
• Amazon Elastic MapReduce (EMR) • AWS Glue
• Amazon ElastiCache • AWS Glue DataBrew

Rw
• Amazon EventBridge • AWS Health Dashboard
• Amazon FinSpace • AWS HealthImaging
• Amazon Forecast • AWS HealthLake
• Amazon Fraud Detector • AWS HealthOmics

ab
• Amazon FSx • AWS IAM Identity Center
• Amazon GuardDuty • AWS Identity and Access Management
• Amazon Inspector (IAM)

gv
• Amazon Inspector Classic • AWS IoT Core
• Amazon Kendra • AWS IoT Device Defender
• •
Amazon Keyspaces (for Apache Cassandra)
e9 AWS IoT Device Management
• Amazon Kinesis Data Streams • AWS IoT Events
• Amazon Kinesis Video Streams • AWS IoT Greengrass
m
• Amazon Lex • AWS IoT SiteWise
• Amazon Location Service • AWS IoT TwinMaker
• •
kc

Amazon Macie AWS Key Management Service (KMS)

• Amazon Managed Grafana • AWS Lake Formation
• Amazon Managed Service for Apache Flink • AWS Lambda
I6

• Amazon Managed Service for Prometheus • AWS License Manager

• Amazon Managed Streaming for Apache • AWS Mainframe Modernization
EK

Kafka • AWS Managed Services

• Amazon Managed Workflows for Apache • AWS Network Firewall
Airflow (Amazon MWAA) • AWS OpsWorks [includes Chef Automate,
• Amazon MemoryDB (formerly known as
zz

Puppet Enterprise]
Amazon MemoryDB for Redis) • AWS OpsWorks Stacks
• Amazon MQ • AWS Organizations
n-

• Amazon Neptune • AWS Outposts

• Amazon OpenSearch Service • AWS Payment Cryptography
•
ke

Amazon Personalize • AWS Private Certificate Authority

• Amazon Pinpoint • AWS Resilience Hub
• Amazon Polly • AWS Resource Access Manager (RAM)
-to

• Amazon Quantum Ledger Database (QLDB) • AWS Resource Groups

• Amazon QuickSight • AWS RoboMaker
• Amazon Redshift • AWS Secrets Manager
m

• Amazon Rekognition • AWS Security Hub

• Amazon Relational Database Service (RDS) • AWS Server Migration Service (SMS)
r
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
5
 Amazon Web Services
410 Terry Avenue North

Gw
Seattle, WA 98109-5210

• Amazon Route 53 • AWS Serverless Application Repository

• Amazon S3 Glacier • AWS Service Catalog

A7
• Amazon SageMaker [Excludes Studio Lab, • AWS Shield
Public Workforce and Vendor Workforce • AWS Signer
for all features] • AWS Snowball

7
• Amazon Simple Email Service (SES) • AWS Snowball Edge

g1
• Amazon Simple Notification Service (SNS) • AWS Snowmobile
• Amazon Simple Queue Service (SQS) • AWS Step Functions
• Amazon Simple Storage Service (S3) • AWS Storage Gateway

Rw
• Amazon Simple Workflow Service (SWF) • AWS Systems Manager
• Amazon SimpleDB • AWS Transfer Family
• Amazon Textract • AWS User Notifications
• Amazon Timestream • AWS WAF

ab
• Amazon Transcribe • AWS Wickr
• Amazon Translate • AWS X-Ray
• Amazon Virtual Private Cloud (VPC) • EC2 Image Builder

gv
• Amazon WorkDocs • Elastic Load Balancing (ELB)
• Amazon WorkMail • FreeRTOS
• •
Amazon WorkSpaces
e9
VM Import/Export
• Amazon WorkSpaces Secure Browser
(Formerly known as Amazon Workspaces
m
Web)
kc

More information about the in-scope services, can be found at the following web address:
I6

https://aws.amazon.com/compliance/services-in-scope/
EK

The scope of locations covered in this report includes the supporting data centers located in the following
regions:

• Australia: Asia Pacific (Sydney) (ap-southeast-2), Asia Pacific (Melbourne) (ap-

zz

southeast-4)
• Bahrain: Middle East (Bahrain) (me-south-1)
n-

• Brazil: South America (São Paulo) (sa-east-1)

• Canada: Canada (Central) (ca-central-1), Canada West (Calgary) (ca-west-1)*
ke

• England: Europe (London) (eu-west-2)

• France: Europe (Paris) (eu-west-3)
• Germany: Europe (Frankfurt) (eu-central-1)
-to

• Hong Kong: Asia Pacific (ap-east-1)

• India: Asia Pacific (Mumbai) (ap-south-1), Asia Pacific (Hyderabad) (ap-south-2)
• Indonesia: Asia Pacific (Jakarta) (ap-southeast-3)
m

• Ireland: Europe (Ireland) (eu-west-1)

• Israel: Israel (Tel Aviv) (il-central-1)*
r
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
6
 Amazon Web Services
410 Terry Avenue North

Gw
Seattle, WA 98109-5210

• Italy: Europe (Milan) (eu-south-1)

• Japan: Asia Pacific (Tokyo) (ap-northeast-1), Asia Pacific (Osaka) (ap-northeast-3)

A7
• Singapore: Asia Pacific (Singapore) (ap-southeast-1)
• South Africa: Africa (Cape Town) (af-south-1)
• South Korea: Asia Pacific (Seoul) (ap-northeast-2)

7
• Spain: Europe (Spain) (eu-south-2)

g1
• Sweden: Europe (Stockholm) (eu-north-1)
• Switzerland: Europe (Zurich) (eu-central-2)
• United Arab Emirates: Middle East (UAE) (me-central-1)

Rw
• United States: US East (Northern Virginia) (us-east-1), US East (Ohio) (us-east-2), US
West (Oregon) (us-west-2), US West (Northern California) (us-west-1), AWS GovCloud
(US-East) (us-gov-east-1), AWS GovCloud (US-West) (us-gov-west-1)

ab
* Effective date for this region is February 15, 2024.

gv
and the following AWS Edge locations in:

• Caba, Argentina • Dublin, Ireland • Bluffdale, United States

e9
• General Pacheco, • Haifa, Israel • Boston, United States
Argentina • Milan, Italy • Chandler, United States
• Brisbane, Australia • Rome, Italy • Chicago, United States
m

• Canberra, Australia • Inzai, Japan • Columbus, United States

• Hume, Australia • Koto City, Japan • Dallas, United States
kc

• Melbourne, Australia • Osaka, Japan • Denver, United States

• Perth, Australia • Shinagawa, Japan • El Segundo, United States
I6

• Sydney, Australia • Nairobi, Kenya • Elk Grove Village, United

• Vienna, Austria • Kuala Lumpur, Malaysia States
EK

• Brussels, Belgium • Santiago de Querétaro, • Franklin, United States

• Fortaleza, Brazil Mexico • Greenwood Village, United
• Rio de Janeiro, Brazil • Amsterdam, Netherlands States
•
zz

• São Paulo, Brazil • Schiphol-Rijk, Netherlands Hillsboro, United States

• Sofia, Bulgaria • Rosedale, New Zealand • Houston, United States
• Montreal, Canada • Lagos, Nigeria • Irvine, United States
n-

• Toronto, Canada • Oslo, Norway • Irving, United States

• Vancouver, Canada • Barka, Oman • Kansas City, United States
ke

• Huechuraba, Chile • Santiago de Surco, Peru • Las Vegas, United States

• Santiago de Chile, Chile • Manila, Philippines • Los Angeles, United States
-to

• Bogotá, Colombia • Warsaw, Poland • Lynnwood, United States

• Zagreb, Croatia • Lisbon, Portugal • Miami, United States
• Prague, Czech Republic • Bucharest, Romania • Milpitas, United States
m

• Ballerup, Denmark • Hong Kong, SAR • Minneapolis, United States

• Tallinn, Estonia • Singapore, Singapore • New York City, United States
r
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
7
 Amazon Web Services
410 Terry Avenue North

Gw
Seattle, WA 98109-5210

• Helsinki, Finland • Cape Town, South Africa • Newark, United States

• Espoo, Finland • Johannesburg, South Africa • North Las Vegas, United

A7
• Aubervilliers, France • Anyang-si, South Korea States
• Marseille, France • Seoul, South Korea • Palo Alto, United States
• • • Philadelphia, United States

7
Paris, France Barcelona, Spain
• Berlin, Germany • Madrid, Spain • Phoenix, United States

g1
• Dusseldorf, Germany • Stockholm, Sweden • Piscataway, United States
• Frankfurt, Germany • Zurich, Switzerland • Pittsburgh, United States
• • •

Rw
Hamburg, Germany New Taipei City, Taiwan Portland, United States
• Munich, Germany • Taipei, Taiwan • Reston, United States
• Kropia, Greece • Bangkok, Thailand • Richardson, United States
• Budapest, Hungary • Bang Chalong, Thailand • San Jose, United States

ab
• Bangalore, India • Dubai, United Arab • Seattle, United States
• Chennai, India Emirates • Secaucus, United States
• • •

gv
Hyderabad, India Fujairah, United Arab Tampa, United States
• Kolkata, India Emirates • Tempe, United States
• Mumbai, India • London, United Kingdom • Vienna, United States
e9
• New Delhi, India • Manchester, United • West Valley City, United
• Noida, India Kingdom States
• Pune, India • Slough, United Kingdom • Hanoi, Vietnam
m

• Bekasi, Indonesia • Swinton, United Kingdom • Ho Chi Minh, Vietnam

• Jakarta, Indonesia • Ashburn, United States
kc

• Clonshaugh, Ireland • Atlanta, United States

I6

and the following Wavelength locations in:

• Toronto, Canada • Alpharetta, United States • Minneapolis, United States
EK

• Berlin, Germany • Annapolis Junction, United • New Berlin, United States

• Dortmund, Germany States • Pembroke Pines, United States
• Munich, Germany • Aurora, United States • Plant City, United States
zz

• Osaka, Japan • Azusa, United States • Redmond, United States

• Tama, Japan • Charlotte, United States • Rocklin, United States
n-

• Daejeon, South Korea • Euless, United States • Southfield, United States

• Seoul, South Korea • Houston, United States • Tempe, United States
• • •
ke

London, United Kingdom Knoxville, United States Wall Township, United States
• Salford, United Kingdom • Las Vegas, United States • Westborough, United States
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
8
 Amazon Web Services
410 Terry Avenue North

Gw
Seattle, WA 98109-5210

as well as Local Zone locations in:

A7
• Buenos Aires, Argentina • Manila, Philippines • Irvine, United State
• Perth, Australia • Warsaw, Poland • Itasca, United States
• Santiago, Chile • Singapore, Singapore* • Kansas City, United States

7
• Copenhagen, Denmark • Taipei, Taiwan • Las Vegas, United States
• • •

g1
Helsinki, Finland Bangkok, Thailand Lee's Summit, United States*
• Hamburg, Germany • Atlanta, United States • Lithia Springs, United States
• Kolkata, India • Boston, United States • Mesa, United States

• New Delhi, India
• Noida, India*
• Queretaro, Mexico
• Rosedale, New Zealand
Rw
• Chicago, United States
• El Segundo, United States
• Garland, United States
• Greenwood Village,
• Miami, United States
• Minneapolis, United States
• Philadelphia, United States
• Phoenix, United States

ab
• Lagos, Nigeria United States • Piscataway, United States
• Muscat, Oman • Hillsboro, United States • Richardson, United States

gv
• Lima, Peru • Houston, United States • Seattle, United States

* This location is a Dedicated Local Zone and may not be available to all customers.
e9
The Description indicates that certain control objectives specified in the Description can be achieved only
m
if complementary user entity controls assumed in the design of AWS’ controls are suitably designed and
operating effectively, along with related controls at the service organization. The Description does not
extend to controls of the user entities.
kc

We confirm, to the best of our knowledge and belief, that:

I6

a. The Description fairly presents the Amazon Web Services system (System) made available to user
entities of the System during some or all of the period July 1, 2023 to June 30, 2024, for providing
EK

cloud computing services as it relates to controls that are likely relevant to user entities’ internal
control over financial reporting. The criteria we used in making this assertion were that the
Description:
zz

(1) Presents how the System made available to user entities of the system was designed and
implemented, including, if applicable:
n-

• The types of services provided.

ke

• The procedures, within both automated and manual systems, by which those services are
provided for user entities of the System.
-to

• The information used in the performance of the procedures and supporting information;
this includes the correction of incorrect information and how information is transferred
to the reports prepared for user entities.
m

• How the System captures and addresses significant events and conditions.
• The process used to prepare reports and other information for user entities.
r
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
9
 Amazon Web Services
410 Terry Avenue North

Gw
Seattle, WA 98109-5210

• Services performed by a subservice organization, if any, including whether the carve-out

method or the inclusive method has been used in relation to them.

A7
• The specified control objectives and controls designed to achieve those objectives,
including, as applicable, complementary user entity controls assumed in the design of the
service organization’s controls.

7
• Other aspects of our control environment, risk assessment process, information, and

g1
communications (including the related business processes), control activities, and
monitoring activities that are relevant to the services provided.

Rw
(2) Includes relevant details of changes to the System during the period covered by the
Description.

ab
(3) Does not omit or distort information relevant to the System, while acknowledging that the
Description is prepared to meet the common needs of a broad range of user entities of the
System and their user auditors, and may not, therefore, include every aspect of the System

gv
that each individual user entity of the System and its user auditor may consider important in
the user entity’s own particular environment.
e9
b. The controls related to the control objectives stated in the Description were suitably designed
and operated effectively throughout the period July 1, 2023 to June 30, 2024, to achieve those
control objectives, if user entities applied the complementary user entity controls assumed in the
m
design of AWS’ controls throughout the period July 1, 2023 to June 30, 2024. The criteria we used
in making this assertion were that:
kc

(1) The risks that threaten the achievement of the control objectives stated in the Description
have been identified by management of the service organization.
I6

(2) The controls identified in the Description would, if operating effectively, provide reasonable
assurance that those risks would not prevent the control objectives stated in the Description
EK

from being achieved.

(3) The controls were consistently applied as designed, including whether manual controls were
applied by individuals who have the appropriate competence and authority.
zz

Amazon Web Services Management

n-
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
10
 Gw
7 A7
g1
Rw
ab
gv
e9
m
SECTION II – Independent Service Auditor’s Assurance Report
kc
I6
EK
zz
n-
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
11
te
rm
-to
ke
n-
zz
EK
I6
kc
m
e9
gv
ab
Rw
g1
7 A7
Gw
te
rm
-to
ke
n-
zz
EK
I6
kc
m
e9
gv
ab
Rw
g1
7 A7
Gw
te
rm
-to
ke
n-
zz
EK
I6
kc
m
e9
gv
ab
Rw
g1
7 A7
Gw
te
rm
-to
ke
n-
zz
EK
I6
kc
m
e9
gv
ab
Rw
g1
7 A7
Gw
te
rm
-to
ke
n-
zz
EK
I6
kc
m
e9
gv
ab
Rw
g1
7 A7
Gw
te
rm
-to
ke
n-
zz
EK
I6
kc
m
e9
gv
ab
Rw
g1
7 A7
Gw
te
rm
-to
ke
n-
zz
EK
I6
kc
m
e9
gv
ab
Rw
g1
7 A7
Gw
te
rm
-to
ke
n-
zz
EK
I6
kc
m
e9
gv
ab
Rw
g1
7 A7
Gw
 Gw
7 A7
g1
Rw
ab
gv
e9
m

SECTION III – Description of the Amazon Web Services System

kc
I6
EK
zz
n-
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
20
 Section III – Description of the Amazon Web Services System

Gw
Amazon Web Services System Overview

A7
Since 2006, Amazon Web Services (AWS) has provided flexible, scalable and secure IT infrastructure to
businesses of all sizes around the world. With AWS, customers can deploy solutions in a cloud computing
environment that provides compute power, storage, and other application services over the Internet as
their business needs demand. AWS affords businesses the flexibility to employ the operating systems,

7
application programs, and databases of their choice.

g1
The scope of this system description includes the following services:

Rw
• Amazon API Gateway • AWS Amplify
• Amazon AppFlow • AWS App Mesh
• Amazon AppStream 2.0 • AWS App Runner
• Amazon Athena • AWS AppFabric

ab
• Amazon Augmented AI [Excludes Public • AWS Application Migration Service
Workforce and Vendor Workforce for all • AWS AppSync
•

gv
features] AWS Artifact
• Amazon Bedrock • AWS Audit Manager
• Amazon Braket • AWS Backup
•
e9
Amazon Chime • AWS Batch
• Amazon Chime SDK • AWS Certificate Manager (ACM)
• Amazon Cloud Directory • AWS Chatbot
m

• Amazon CloudFront [excludes content • AWS Clean Rooms

delivery through Amazon CloudFront • AWS Cloud Map
kc

Embedded Point of Presences] • AWS Cloud9

• Amazon CloudWatch • AWS CloudFormation
• Amazon CloudWatch Logs • AWS CloudHSM
I6

• Amazon CodeWhisperer • AWS CloudShell

• Amazon Cognito • AWS CloudTrail
EK

• Amazon Comprehend • AWS CodeBuild

• Amazon Comprehend Medical • AWS CodeCommit
• Amazon Connect • AWS CodeDeploy
•
zz

Amazon Data Firehose • AWS CodePipeline

• Amazon DataZone • AWS Config
• Amazon Detective • AWS Control Tower
n-

• Amazon DevOps Guru • AWS Data Exchange

• Amazon DocumentDB [with MongoDB • AWS Database Migration Service (DMS)
ke

compatibility] • AWS DataSync

• Amazon DynamoDB • AWS Direct Connect
• Amazon DynamoDB Accelerator (DAX) • AWS Directory Service [Excludes Simple AD]
-to

• Amazon EC2 Auto Scaling • AWS Elastic Beanstalk

• Amazon Elastic Block Store (EBS) • AWS Elastic Disaster Recovery
• Amazon Elastic Compute Cloud (EC2) • AWS Elemental MediaConnect
m

• Amazon Elastic Container Registry (ECR) • AWS Elemental MediaConvert

r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

21
 Section III – Description of the Amazon Web Services System

Gw
• Amazon Elastic Container Service [both • AWS Elemental MediaLive
Fargate and EC2 launch types] • AWS Entity Resolution
•

A7
Amazon Elastic File System (EFS) • AWS Fault Injection Service
• Amazon Elastic Kubernetes Service (EKS) • AWS Firewall Manager
[both Fargate and EC2 launch types] • AWS Global Accelerator
• •

7
Amazon Elastic MapReduce (EMR) AWS Glue
• Amazon ElastiCache • AWS Glue DataBrew

g1
• Amazon EventBridge • AWS Health Dashboard
• Amazon FinSpace • AWS HealthImaging
• Amazon Forecast • AWS HealthLake

Rw
• Amazon Fraud Detector • AWS HealthOmics
• Amazon FSx • AWS IAM Identity Center
• Amazon GuardDuty • AWS Identity and Access Management
•

ab
Amazon Inspector (IAM)
• Amazon Inspector Classic • AWS IoT Core
• Amazon Kendra • AWS IoT Device Defender

gv
• Amazon Keyspaces (for Apache Cassandra) • AWS IoT Device Management
• Amazon Kinesis Data Streams • AWS IoT Events
• Amazon Kinesis Video Streams • AWS IoT Greengrass
e9
• Amazon Lex • AWS IoT SiteWise
• Amazon Location Service • AWS IoT TwinMaker
• Amazon Macie • AWS Key Management Service (KMS)
m

• Amazon Managed Grafana • AWS Lake Formation

• Amazon Managed Service for Apache Flink • AWS Lambda
kc

• Amazon Managed Service for Prometheus • AWS License Manager

• Amazon Managed Streaming for Apache • AWS Mainframe Modernization
Kafka • AWS Managed Services
I6

• Amazon Managed Workflows for Apache • AWS Network Firewall

Airflow (Amazon MWAA) • AWS OpsWorks [includes Chef Automate,
EK

• Amazon MemoryDB (formerly known as Puppet Enterprise]

Amazon MemoryDB for Redis) • AWS OpsWorks Stacks
• Amazon MQ • AWS Organizations
zz

• Amazon Neptune • AWS Outposts

• Amazon OpenSearch Service • AWS Payment Cryptography
• Amazon Personalize • AWS Private Certificate Authority
n-

• Amazon Pinpoint • AWS Resilience Hub

• Amazon Polly • AWS Resource Access Manager (RAM)
ke

• Amazon Quantum Ledger Database (QLDB) • AWS Resource Groups

• Amazon QuickSight • AWS RoboMaker
• Amazon Redshift • AWS Secrets Manager
-to

• Amazon Rekognition • AWS Security Hub

• Amazon Relational Database Service (RDS) • AWS Server Migration Service (SMS)
• Amazon Route 53 • AWS Serverless Application Repository
m

• Amazon S3 Glacier • AWS Service Catalog

r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

22
 Section III – Description of the Amazon Web Services System

Gw
• Amazon SageMaker [Excludes Studio Lab, • AWS Shield
Public Workforce and Vendor Workforce • AWS Signer

A7
for all features] • AWS Snowball
• Amazon Simple Email Service (SES) • AWS Snowball Edge
• Amazon Simple Notification Service (SNS) • AWS Snowmobile
• •

7
Amazon Simple Queue Service (SQS) AWS Step Functions
• Amazon Simple Storage Service (S3) • AWS Storage Gateway

g1
• Amazon Simple Workflow Service (SWF) • AWS Systems Manager
• Amazon SimpleDB • AWS Transfer Family
• Amazon Textract • AWS User Notifications

Rw
• Amazon Timestream • AWS WAF
• Amazon Transcribe • AWS Wickr
• Amazon Translate • AWS X-Ray
•

ab
Amazon Virtual Private Cloud (VPC) • EC2 Image Builder
• Amazon WorkDocs • Elastic Load Balancing (ELB)
• Amazon WorkMail • FreeRTOS

gv
• Amazon WorkSpaces • VM Import/Export
• Amazon WorkSpaces Secure Browser
(Formerly known as Amazon Workspaces
e9
Web)
m
More information about the in-scope services, can be found at the following web address:
https://aws.amazon.com/compliance/services-in-scope/
kc

The scope of locations covered in this report includes the supporting data centers located in the following
regions:
I6

• Australia: Asia Pacific (Sydney) (ap-southeast-2), Asia Pacific (Melbourne) (ap-

EK

southeast-4)
• Bahrain: Middle East (Bahrain) (me-south-1)
• Brazil: South America (São Paulo) (sa-east-1)
• Canada: Canada (Central) (ca-central-1), Canada West (Calgary) (ca-west-1)*
zz

• England: Europe (London) (eu-west-2)

• France: Europe (Paris) (eu-west-3)
n-

• Germany: Europe (Frankfurt) (eu-central-1)

• Hong Kong: Asia Pacific (ap-east-1)
ke

• India: Asia Pacific (Mumbai) (ap-south-1), Asia Pacific (Hyderabad) (ap-south-2)

• Indonesia: Asia Pacific (Jakarta) (ap-southeast-3)
• Ireland: Europe (Ireland) (eu-west-1)
-to

• Israel: Israel (Tel Aviv) (il-central-1)*

• Italy: Europe (Milan) (eu-south-1)
• Japan: Asia Pacific (Tokyo) (ap-northeast-1), Asia Pacific (Osaka) (ap-northeast-3)
m

• Singapore: Asia Pacific (Singapore) (ap-southeast-1)

r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

23
 Section III – Description of the Amazon Web Services System

Gw
• South Africa: Africa (Cape Town) (af-south-1)
• South Korea: Asia Pacific (Seoul) (ap-northeast-2)

A7
• Spain: Europe (Spain) (eu-south-2)
• Sweden: Europe (Stockholm) (eu-north-1)
• Switzerland: Europe (Zurich) (eu-central-2)

7
• United Arab Emirates: Middle East (UAE) (me-central-1)
• United States: US East (Northern Virginia) (us-east-1), US East (Ohio) (us-east-2), US West

g1
(Oregon) (us-west-2), US West (Northern California) (us-west-1), AWS GovCloud (US-East)
(us-gov-east-1), AWS GovCloud (US-West) (us-gov-west-1)

Rw
* Effective date for this region is February 15, 2024.

and the following AWS Edge locations in:

ab
• Caba, Argentina • Dublin, Ireland • Bluffdale, United States
• General Pacheco, • Haifa, Israel • Boston, United States
• •

Argentina
• Brisbane, Australia
• Canberra, Australia
• Hume, Australia
• Melbourne, Australia
• Perth, Australia
gv
Milan, Italy Chandler, United States
• Rome, Italy • Chicago, United States
• Inzai, Japan • Columbus, United States
e9
• Koto City, Japan • Dallas, United States
• Osaka, Japan • Denver, United States
• Shinagawa, Japan • El Segundo, United States
m

• Sydney, Australia • Nairobi, Kenya • Elk Grove Village, United

• Vienna, Austria • Kuala Lumpur, Malaysia States
kc

• Brussels, Belgium • Santiago de Querétaro, • Franklin, United States

• Fortaleza, Brazil Mexico • Greenwood Village, United
• Rio de Janeiro, Brazil • Amsterdam, Netherlands States
I6

• São Paulo, Brazil • Schiphol-Rijk, Netherlands • Hillsboro, United States

• Sofia, Bulgaria • Rosedale, New Zealand • Houston, United States
EK

• Montreal, Canada • Lagos, Nigeria • Irvine, United States

• Toronto, Canada • Oslo, Norway • Irving, United States
• Vancouver, Canada • Barka, Oman • Kansas City, United States
zz

• Huechuraba, Chile • Santiago de Surco, Peru • Las Vegas, United States

• Santiago de Chile, Chile • Manila, Philippines • Los Angeles, United States
• Bogotá, Colombia • Warsaw, Poland • Lynnwood, United States
n-

• Zagreb, Croatia • Lisbon, Portugal • Miami, United States

• Prague, Czech Republic • Bucharest, Romania • Milpitas, United States
ke

• Ballerup, Denmark • Hong Kong, SAR • Minneapolis, United States

• Tallinn, Estonia • Singapore, Singapore • New York City, United States
• Helsinki, Finland • Cape Town, South Africa • Newark, United States
-to

• Espoo, Finland • Johannesburg, South Africa • North Las Vegas, United

• Aubervilliers, France • Anyang-si, South Korea States
• Marseille, France • Seoul, South Korea • Palo Alto, United States
m

• Paris, France • Barcelona, Spain • Philadelphia, United States

r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

24
 Section III – Description of the Amazon Web Services System

Gw
• Berlin, Germany • Madrid, Spain • Phoenix, United States
• Dusseldorf, Germany • Stockholm, Sweden • Piscataway, United States

A7
• Frankfurt, Germany • Zurich, Switzerland • Pittsburgh, United States
• Hamburg, Germany • New Taipei City, Taiwan • Portland, United States
• Munich, Germany • Taipei, Taiwan • Reston, United States
• • •

7
Kropia, Greece Bangkok, Thailand Richardson, United States
• Budapest, Hungary • Bang Chalong, Thailand • San Jose, United States

g1
• Bangalore, India • Dubai, United Arab • Seattle, United States
• Chennai, India Emirates • Secaucus, United States
• Hyderabad, India • Fujairah, United Arab • Tampa, United States

Rw
• Kolkata, India Emirates • Tempe, United States
• Mumbai, India • London, United Kingdom • Vienna, United States
• New Delhi, India • Manchester, United • West Valley City, United

ab
• Noida, India Kingdom States
• Pune, India • Slough, United Kingdom • Hanoi, Vietnam
• Bekasi, Indonesia • Swinton, United Kingdom • Ho Chi Minh, Vietnam

gv
• Jakarta, Indonesia • Ashburn, United States
• Clonshaugh, Ireland • Atlanta, United States
e9
and the following Wavelength locations in:

• • •
m
Toronto, Canada Alpharetta, United States Minneapolis, United States
• Berlin, Germany • Annapolis Junction, United • New Berlin, United States
• •
kc

Dortmund, Germany States Pembroke Pines, United States

• Munich, Germany • Aurora, United States • Plant City, United States
• Osaka, Japan • Azusa, United States • Redmond, United States
I6

• Tama, Japan • Charlotte, United States • Rocklin, United States

• Daejeon, South Korea • Euless, United States • Southfield, United States
EK

• Seoul, South Korea • Houston, United States • Tempe, United States

• London, United Kingdom • Knoxville, United States • Wall Township, United States
• Salford, United Kingdom • Las Vegas, United States • Westborough, United States
zz

as well as Local Zone locations in:

n-

• Buenos Aires, Argentina • Manila, Philippines • Irvine, United State

• • •
ke

Perth, Australia Warsaw, Poland Itasca, United States

• Santiago, Chile • Singapore, Singapore* • Kansas City, United States
• Copenhagen, Denmark • Taipei, Taiwan • Las Vegas, United States
-to

• Helsinki, Finland • Bangkok, Thailand • Lee's Summit, United States*

• Hamburg, Germany • Atlanta, United States • Lithia Springs, United States
• Kolkata, India • Boston, United States • Mesa, United States
m

• New Delhi, India • Chicago, United States • Miami, United States

r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

25
 Section III – Description of the Amazon Web Services System

Gw
• Noida, India* • El Segundo, United States • Minneapolis, United States
• Queretaro, Mexico • Garland, United States • Philadelphia, United States

A7
• Rosedale, New Zealand • Greenwood Village, • Phoenix, United States
• Lagos, Nigeria United States • Piscataway, United States
• Muscat, Oman • Hillsboro, United States • Richardson, United States

7
• Lima, Peru • Houston, United States • Seattle, United States

g1
* This location is a Dedicated Local Zone and may not be available to all customers.

Shared Responsibility Environment

Rw
Moving the customer’s IT infrastructure to AWS builds a shared responsibility model between customers
and AWS. AWS operates, manages, and controls the components from the host operating system and
virtualization layer down to the physical security of the facilities in which the services operate. In turn,

ab
customers assume responsibility and management of the design, implementation and operation of their
AWS environment, which may include guest operating systems (including updates and security patches),
other associated application software, as well as the configuration of the AWS-provided security group

gv
firewall. Customers should carefully consider the services they choose as customer responsibilities vary
depending on the services they use, the integration of those services into their IT environments, and
applicable laws and regulations. It is possible to enhance security and/or meet more stringent compliance
e9
requirements by leveraging technology such as host-based firewalls, host-based intrusion
detection/prevention, and encryption. AWS provides tools and information to assist customers in their
efforts to account for and to validate that controls are operating effectively in their extended IT
m

environment. More information can be found on the AWS Compliance center at

https://aws.amazon.com/compliance.
kc

AWS offers a variety of different infrastructure and platform services. More information can be found on
the AWS Shared Responsibility Model at https://aws.amazon.com/compliance/shared-responsibility-
I6

model/. For the purpose of understanding security and shared responsibility for AWS’ services, AWS has
categorized them into three main categories: infrastructure, container, and abstracted. Each category
EK

comes with a slightly different security ownership model based on how customers interact and access the
functionality. Customer responsibility is determined by the AWS Cloud services that a customer selects.
This determines the amount of configuration work the customer must perform as part of their security
responsibilities.
zz

Infrastructure Services: Services such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon
n-

Virtual Private Cloud (Amazon VPC) are categorized as Infrastructure Services and, as such, require the
customer to perform the necessary security configuration and management tasks. If a customer deploys
an Amazon EC2 instance, they are responsible for management of the guest operating system (including
ke

updates and security patches), any application software or utilities installed by the customer on the
instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.
-to

Container Services: Services in this category typically run separately on Amazon EC2 or other
infrastructure instances, but sometimes customers are not required to manage the operating system or
the platform layer. AWS provides a managed service for these application “containers”. Customers are
m

responsible for setting up and managing network controls, such as firewall rules, and for managing
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

26
 Section III – Description of the Amazon Web Services System

Gw
platform-level identity and access management separately from IAM. Examples of container services
include Amazon Relational Database Services (Amazon RDS), Amazon Elastic Map Reduce (Amazon EMR)

A7
and AWS Elastic Beanstalk.

Abstracted Services: This category includes high-level storage, database, and messaging services, such as
Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon DynamoDB, Amazon Simple

7
Queuing Service (Amazon SQS), and Amazon Simple Email Service (Amazon SES). These services abstract

g1
the platform or management layer on which the customers can build and operate cloud applications. The
customers access the endpoints of these abstracted services using AWS APIs, and AWS manages the
underlying service components or the operating system on which they reside.

Rw
As every customer deploys their environment differently in AWS, customers can take advantage of shifting
the management of certain IT controls to AWS, which results in a (new) distributed control environment.
Customers can then use the AWS control and compliance documentation available to them to perform

ab
their control evaluation and verification procedures as required. Certain functions of services have been
identified as controls in the system description and are denoted as “service-specific” as they are unique
to the respective service.

gv
More information and examples on the AWS Security Best Practices can be found at
https://aws.amazon.com/architecture/security-identity-compliance/.
e9
Furthermore, AWS publishes security blogs related to best practices that cover best practices around using
AWS services at https://aws.amazon.com/blogs/security/tag/best-practices/.
m

Hosting Financial Systems

kc

AWS offers a variety of services, and customers have the flexibility to architect AWS services to meet the
varying needs of their computing and storage requirements, including the hosting of financial applications.
I6

Customers specifically using one or more of the AWS services within the scope of this report (outlined
above under the Amazon Web Services System Overview) to support their financial applications may use
EK

this report to support their understanding of the design and operating effectiveness of the AWS control
environment as assessed by the Independent Service Auditor’s Assurance Report for financial reporting
purposes.
zz

Relevant Aspects of Internal Controls

n-

As defined by the American Institute of Certified Public Accountants (AICPA), internal control is a process
affected by an entity’s board of directors, management, and other personnel and consists of five
ke

interrelated components:

• Control Environment – Sets the tone of an organization, influencing the control consciousness of
-to

its people. It is the foundation for all other components of internal control, providing discipline
and structure.
• Risk Assessment – The entity’s identification and analysis of relevant risks to the achievement of
m

its objectives, forming a basis for determining how the risks should be managed.
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

27
 Section III – Description of the Amazon Web Services System

Gw
• Information and Communication – Surrounding these activities are information and
communication systems. These enable the entity’s people to capture and exchange information

A7
needed to conduct and control its operations.
• Monitoring – The entire process must be monitored, and modifications made as necessary. In this
way, the system can react dynamically, changing as conditions warrant.

7
• Control Activities – Control policies and procedures must be established and executed to help

g1
ensure that the actions identified by management as necessary to address risks to the
achievement of the entity’s objectives are effectively carried out.

Rw
This section briefly describes the essential characteristics and other interrelated components of internal
controls in achieving the control objectives as they pertain to AWS that may be relevant to customers in
five broad areas:

ab
• Policies (Control Environment and Risk Management) – The entity has defined and documented
its policies relevant to the particular principles.

gv
• Communications (Information and Communication) – The entity has communicated its defined
policies to responsible parties and authorized users of the system.
• Service Commitments and System Requirements (Control Activities) – The entity has
e9
communicated its service commitments and system requirements to customers in accordance
with customer agreements.
m

• Procedures (Control Activities) – The entity has placed in operation procedures to achieve service
commitments and systems requirements in accordance with its defined policies.
kc

• Monitoring – The entity monitors the system and takes action to maintain compliance with its
defined policies.
I6

A. Policies
EK

A.1 Control Environment

AWS is a unit within Amazon.com (“Amazon” or “the Company”) that is aligned organizationally around
zz

each of the web services, such as Amazon EC2, Amazon S3, Amazon VPC, Amazon EBS and Amazon RDS.
AWS leverages some aspects of Amazon’s overall control environment in the delivery of these web
services. The collective control environment encompasses management and employee efforts to establish
n-

and maintain an environment that supports the effectiveness of specific controls. AWS maintains internal
informational websites describing the AWS environment, its boundaries, user responsibilities and services
ke

(Control AWSCA-9.1).

The control environment at Amazon begins at the highest level of the Company. Executive and senior
-to

leadership play important roles in establishing the Company’s core values and tone at the top. The
Company’s Code of Business Conduct and Ethics, which sets guiding principles, is made available to every
employee.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

28
 Section III – Description of the Amazon Web Services System

Gw
Amazon is committed to having the highest qualified members as a part of its Board of Directors (Control
AWSCA-1.7). Annually, the Amazon Corporate Governance Committee provides each Board member a

A7
questionnaire that establishes whether they are independent and qualified to serve on each Board or
Committee under the applicable rules. The Corporate Governance Committee periodically reviews and
assesses the composition of the Board and evaluates the overall Board performance during the annual
assessment of individual Board members. The Leadership Development and Compensation Committee,

7
with the full Board present, annually evaluates the succession plan for each member of the Senior

g1
Management team (Control AWSCA-1.8). This includes the annual Company and CEO performance and
succession plan.

Rw
AWS is committed to protecting its customers’ data and maintaining compliance with applicable
regulatory requirements. This is demonstrated by the consolidated annual operational plan that includes
regulatory and compliance requirements and objectives to enable the identification and assessment of
risks relating to those objectives (Control AWSCA-1.9). AWS’ policies and procedures outline the required

ab
guidance for operation and information security that supports AWS environments, acceptable use of
mobile devices, and access to data content and network devices (Control AWSCA-3.16). All AWS
employees are required to review all applicable policies and procedures, as updated from time to time.

gv
Evidence of compliance with the training on AWS policies is executed and retained by the employee
resource team. e9
Amazon has setup an ethics hotline for the employees or third-party contractors to report any misconduct
or violation of AWS policies, practices, rules, requirements or procedures (Control AWSCA-9.6). Any
material violation of the Company Code of Business Conduct and Ethics or any other similar policies are
m

appropriately handled accordingly which may include disciplinary action or termination of employment.
Violations by vendors or third-party contractors are reported to their employers for disciplinary action,
kc

removal of assignment with Amazon, or termination (Control AWSCA-9.7).

AWS Management has implemented a formal audit program that monitors and audits controls that are
I6

designed to protect against organizational risks and customer content. This includes external independent
assessments against regulatory, internal and external control frameworks. The internal and external
EK

audits are planned, performed and reported to the Audit Committee. The AWS compliance team performs
and reviews the audit plan according to the documented audit schedule and communicates the audit
requirements based on standard criteria that verifies compliance with the regulatory requirements and
zz

reported risk to the Audit Committee.

AWS Artifact is the primary resource for customers to obtain compliance-related information from AWS.
n-

It provides access to AWS’ security and compliance reports and select online agreements. Reports
available in AWS Artifact include: AWS Service System and Organization Controls (SOC) reports, Payment
ke

Card Industry (PCI) Attestation of Compliance, and certifications from accreditation bodies across
geographies and industry verticals that validate the implementation and operating effectiveness of AWS
security controls. Amongst other things, compliance reports are made available to customers to enable
-to

them to evaluate AWS’ conformance with security controls and associated compliance obligations
(Control AWSCA-9.8).
m

The AWS organizational structure provides a framework for planning, executing and controlling business
operations (Control AWSCA-1.1). The organizational structure assigns roles and responsibilities to provide
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

29
 Section III – Description of the Amazon Web Services System

Gw
for adequate staffing, efficiency of operations and the segregation of duties. Management has also
established authority and appropriate lines of reporting for key personnel. The Company follows a

A7
structured on-boarding process to assist new employees as they become familiar with Amazon tools,
processes, systems, policies and procedures.

AWS performs a formal evaluation of the appropriate resourcing and staffing to align employee

7
qualifications with the entity’s business objectives to support the achievement of the entity’s business

g1
objectives. Appropriate feedback is given to the employee on strengths and growth areas during the
annual performance review process. Employee strength and growth evaluations are shared by the
employee’s manager with the employee (Control AWSCA-9.3).

Rw
The GovCloud (US East) and GovCloud (US West) environments are AWS regions located in the United
States (US) that are designed to maintain physical and logical access controls that limit access by AWS
personnel to the AWS Network for the GovCloud (US) regions to US citizens. The AWS control environment

ab
described in this document is also applicable to the GovCloud (US) regions. The AWS control environment
is subject to various internal and external risk assessments.

gv
AWS has established an information security framework and regularly reviews and updates the security
policies, provides security training, which includes data classification, to employees, and performs
application security reviews. These reviews assess the availability, confidentiality, and integrity of data, as
e9
well as conformance to the security policies. Where necessary, AWS Security leverages the security
framework and security policies established and maintained by Amazon Corporate Information Security.
m

AWS has a process in place to review environmental and geo-political risks before launching a new region
(Control AWSCA-1.10). Risk assessments encompass reviews of natural catastrophe (e.g., extreme
kc

weather events), technological (e.g., fire, nuclear radiation, industrial pollution) and man-made (e.g.,
vehicle impact, intentional acts, geo-political) hazards, including exposures presented by nearby entities;
as applicable. In addition to site-specific considerations, AWS evaluates scenarios potentially affecting
I6

separate AZs within a region.

EK

A.2 Risk Management

AWS maintains a formal risk management program to identify, analyze, treat, and continuously monitor
zz

and report risks that affect AWS’ business objectives, regulatory requirements, and customers. The AWS
Risk Management (ARM) program identifies risks, documents them in a risk register, and reports results
to leadership at least semi-annually. The risk management program consists of the following phases:
n-

1) Identifying Risks
ke

ARM has developed a tailored approach to identifying risks across the business. The approach is:
• Bottom-up to identify existing risk management activities
-to

• Top down to gather information from key leaders

• Proactive outreach from risk owners to gather information from other internal teams,
external events, and industry trends
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

30
 Section III – Description of the Amazon Web Services System

Gw
Where appropriate, ARM conducts ad-hoc engagements with the business prompted by inbound
requests or proactive outreach by the team on specific questions.

A7
2) Analyzing Risks
ARM reviews the identified risks with senior leaders to calibrate, assess, and prioritize. This is
accomplished by evaluating:

7
• Probability (likelihood of occurrence in a defined time period);

g1
• Impact (degree of severity in terms of customers, employees, cost, operations, legal and
regulatory compliance, and reputation); and

Rw
• Current Risk Management Effectiveness (existence of practices or controls that reduce
inherent risk).
3) Treating Risks

ab
ARM adopts risk treatment (versus risk mitigation) as a strategy, collaborating with business SMEs
to develop response plans based on the appropriate treatment option. These might include:

gv
• Eliminating or avoiding the risk (e.g., stopping the activity)
• Reducing the risk (e.g., implementing controls)
e9
• Transferring the risk (e.g., to a third party)
• Accepting the risk (when capacity and appetite exist)
m

4) Monitoring and Reporting Risks

ARM actively monitors material risks and their treatment plans. Reports are provided to senior
kc

leadership at least semi-annually. Reports may include important information about key risks and
treatments, as well as emerging trends and general program updates (Control AWSCA-1.5).
I6

In addition to the ARM Risk Assessment, Internal Audit performs a separate Risk Assessment to identify
and prioritize significant AWS risks and uses this information to define the audit plan. The Risk Assessment
EK

incorporates input from multiple sources such as changes to the business, internal audits, operational
events, and emerging risks. The audit plan and any changes to the plan during the year are presented to
the Audit Committee. Internal Audit also communicates significant audit findings and associated action
zz

plans to the Audit Committee.

Additionally, at least on a monthly basis, AWS management reviews the AWS operational metrics and
n-

Correction of Errors (COEs) to improve the overall availability of AWS services and to identify areas of
improvements while mitigating risks to our environments. The “COE” documents are used to perform
ke

deep root cause analysis of certain incidents across AWS, document actions taken, and assign follow-up
action items and owners to track to resolution.
-to
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

31
 Section III – Description of the Amazon Web Services System

Gw
B. Communications

A7
AWS has implemented various methods of internal communication at a global level to help employees
understand their individual roles and responsibilities and to communicate significant events in a timely
manner. These methods include orientation and training programs for newly hired employees; annual

7
training programs are tailored based on employee roles and responsibilities that may include Amazon

g1
Security Awareness (ASA) (Control AWSCA-1.4), Software Developer Engineer (SDE) Bootcamp, ITAR
Secure Coding Training, Threat Modeling the Right Way for Amazon Builders Fraud/Bribery/Foreign
corrupt practices training, and Privacy Engineering Foundations for AWS Service Teams confidentiality

Rw
training, Managing Third Parties Using the Third-Party Risk Management Lifecycle, Export Compliance
trainings; regular management meetings for updates on business performance and other matters; and
electronic means such as video conferencing, electronic mail messages, and the posting of information
via the Amazon intranet on topics such as reporting of information security incidents and guidelines

ab
describing change management.

C. Service Commitments and System Requirements

gv
C.1 Service Commitments e9
AWS communicates service commitments to user entities (AWS customers) in the form of Service Level
Agreements (SLAs), customer agreements (https://aws.amazon.com/agreement/), contracts or through
the description of the service offerings provided online through the AWS website. More information
m

regarding Service Level Agreements can be found at https://aws.amazon.com/legal/service-level-

agreements/.
kc

AWS uses various methods of external communication to support its customer base and the community.
Mechanisms are in place to allow the AWS Support Escalation and Event Management (E2M) team to be
I6

notified and to notify customers of potential operational issues that could impact the customer
experience. AWS Health Dashboard is available to alert customers of “General Service Events” which show
EK

the health of all AWS services and “Your Account Events” shows events specific to the account. Current
status information can be checked by the customer on this site, or by leveraging Amazon EventBridge
Integrations or RSS feeds which allow customers to be notified of interruptions to each individual service.
zz

Details related to security and compliance with AWS can also be obtained on the AWS Security Center and
AWS Compliance websites.
n-

Customers have the ability to contact AWS through the ‘Contact us’ page for any issues related to the AWS
services. AWS provides publicly available mechanisms for external parties to contact AWS to report
ke

security events and publishes information including a system description and security and compliance
information addressing AWS commitments and responsibilities (Control AWSCA-9.5). Customers can also
subscribe to Premium Support offerings that include direct communication with the customer support
-to

team and proactive alerts for any customer impacting issues. AWS also deploys monitoring and alarming
mechanisms which are configured by AWS Service Owners to identify and notify operational and
management personnel of incidents when early warning thresholds are crossed on key operational
m

metrics (Control AWSCA-8.1). Additionally, incidents are logged within a ticketing system, assigned a
severity rating and tracked to resolution (Control AWSCA-8.2).
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

32
 Section III – Description of the Amazon Web Services System

Gw
C.2 System Requirements

A7
The selection and use of services by AWS’ customers must be set up and operated under a shared
responsibility model so that the functionality of the services and the associated security is appropriately
managed. AWS is responsible for protecting the infrastructure that runs the service(s) offered in the AWS

7
Cloud. The customer’s responsibility is determined by the AWS Cloud service(s) that a customer selects

g1
and the interdependencies of those services within the AWS Cloud and their own networked
environment. Customers should assess the objectives for their network when designing IT components
by identifying the risk and corresponding controls to be implemented to address those risks. Customers

Rw
should carefully consider the services they choose as their responsibilities vary depending on the
service(s) as well as the type of configuration(s) and operational controls required as part of their security
responsibilities.

ab
When designing and developing its services, AWS management has created internal policies that are
relevant to the services and systems available to customers. The development of these policies and
procedures supports management with decision making and the operational teams with business

gv
requirements and management of each service and system. As each AWS service is unique, the system
requirements to use different services vary depending on the service and each customer’s environment.
e9
AWS has processes and infrastructure in place to make the services available to customers to meet their
needs. AWS communicates its system requirements to customers and how to get started with using the
AWS services in the form of user guides, developer guides, API references, service specific tutorials, or
m

SDK toolkits. More information regarding the AWS Documentation can be found at
https://docs.aws.amazon.com/. These resources help the customers with architecting the AWS services
kc

to satisfy their business needs.

AWS has identified the following objectives to support the security, change, and operational processes
I6

underlying their service commitments and business requirements. The objectives ensure the system
operates and mitigates the risks that threaten the achievement of the service commitments and system
EK

requirements. The objectives below provide reasonable assurance that:

• Data integrity is maintained through all phases, including transmission, storage and processing.
zz

• Procedures have been established so that Amazon employee user accounts are added, modified
and deleted in a timely manner and reviewed on a periodic basis.
n-

• Policies and mechanisms are in place to appropriately restrict unauthorized internal and external
access to data and customer content is appropriately segregated from other customers.
ke

• System incidents are recorded, analyzed and resolved.

• Changes (including emergency/non-routine and configuration) to existing IT resources are logged,
-to

authorized, tested, approved and documented.

• Critical system components are replicated across multiple AZs and authoritative backups are
maintained and monitored to ensure successful replication to meet the service commitments.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

33
 Section III – Description of the Amazon Web Services System

Gw
• Controls are implemented to safeguard data from within and outside of the boundaries of
environments which store a customer’s content to meet the service commitments.

A7
D. Procedures

7
D.1 Security Organization

g1
AWS has an established information security organization that is managed by the AWS Security team and
is led by the AWS Chief Information Security Officer (CISO). AWS Security team responsibilities are defined
and allocated across the organization. The AWS Security team works with AWS service teams, other

Rw
internal security teams, and external parties to ensure that security risks are mitigated (Control Objective
1: Security Organization). AWS Security establishes and maintains policies and procedures to delineate
standards for logical access on the AWS system and infrastructure hosts. The policies also identify

ab
functional responsibilities for the administration of logical access and security. Where applicable, AWS
Security leverages the information system framework and policies established and maintained by Amazon
Corporate Information Security. AWS and Amazon Corporate Information Security policies are reviewed

gv
and approved on an annual basis by AWS Security Leadership and are used to support AWS in meeting
the service commitments made to the customer (Control AWSCA-1.1, AWSCA -1.2, and AWSCA-1.3).
e9
As part of this annual assessment, the following policies were inspected to verify approval occurred within
the last year:
m

AWS Access Control Policy AWS Media Protection Policy

AWS Configuration Management Policy AWS Password Policy
kc

AWS Contingency Planning Policy AWS Personnel Security Policy

AWS Critical Permission Group Standard AWS Physical and Environmental Protection
I6

Policy
Data Center Security Standard: Media Handling, Secure Software Development Policy
EK

Storage and Destruction

AWS Data Classification and Handling Policy AWS Security Assessment and Certification
Standard
zz

AWS Facility Badge Management and Use Standard AWS Security Awareness Training Policy
n-

AWS Identification and Authentication Policy AWS System and Communications Protection
Policy
ke

AWS Incident Response Policy AWS System and Information Integrity Policy
AWS Information Security Risk Management Policy AWS System Maintenance Policy
-to

AWS Internal Privacy Policy AWS Third Party Information Sharing Policy

AWS has a security awareness and training policy that is disseminated via an internal Amazon
m

communication portal to all employees. This policy addresses purpose, scope, roles, responsibilities, and
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

34
 Section III – Description of the Amazon Web Services System

Gw
management commitment. AWS maintains and provides security awareness training to all information
system users on an annual basis. The policy also includes components as privacy, data protection training,

A7
and data handling leading practices (Control AWSCA-1.4).

As a part of AWS’ responsibilities within the shared responsibility model, AWS implements the three lines
of defense model established by the Institute of Internal Auditors (IIA), discussed in the IIA’s Three Lines

7
Model“https://www.theiia.org/en/content/position-papers/2020/the-iias-three-lines-model-an-update-

g1
of-the-three-lines-of-defense/” whitepaper. In this model, operational management is the first line of
defense, the various risk control and compliance over-sight functions established by management are the
second line of defense (Control AWSCA-1.5), and independent assurance is the third.

Rw
As its third line of defense, Amazon has an Internal Audit function to periodically evaluate risks and assess
conformance to AWS security processes with due professional care (Control AWSCA-9.8). Further, AWS
Security Assurance works with third-party assessors to obtain an independent assessment of risk

ab
management content/processes by performing periodic security assessments and compliance audits or
examinations (e.g., SOC, FedRAMP, ISO, PCI) to evaluate the security, integrity, confidentiality, and
availability of information and resources. AWS management also collaborates with Internal Audit to

gv
determine the health of the AWS control environment and leverages this information to fairly present the
assertions made within the reports. e9
D.2 Employee User Access

Procedures exist so that Amazon employee and contractor user accounts are added, modified, or disabled
m

in a timely manner and are reviewed on a periodic basis. In addition, password configuration settings for
user authentication to AWS systems are managed in compliance with Amazon’s Password Policy (Control
kc

Objective 2: Employee User Access).

AWS has established policies and procedures to delineate standards for logical access to AWS systems
I6

and infrastructure hosts. Where permitted by law, AWS requires that employees undergo a background
screening, at the time of hiring, commensurate with their position and level of access, in accordance with
EK

the AWS Personnel Security Policy (Control AWSCA-9.2). The policies also identify functional
responsibilities for the administration of logical access and security.
zz

Additionally, AWS employees who have access to systems that could impact the confidentiality, integrity,
or availability, or privacy of customer content are required to complete a post-hire background screening
within a year from their last background check. Post-hire screening includes criminal screening
n-

requirements consistent with the pre-hire background screening. Access to the systems that could impact
the confidentiality, integrity, or availability, or privacy of customer content is managed by membership in
ke

permission groups. Employees who support internal services or have access to network resources are not
required to complete the post-hire background screening. Post-hire background screening is conducted
where it is legally permissible by local law, in accordance with the AWS Personnel Security Policy (Control
-to

AWSCA-9.9).

Account Provisioning
m

The responsibility for provisioning user access, which includes employee and contractor access is shared
across Human Resources (HR), Corporate Operations, and Service Owners.
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

35
 Section III – Description of the Amazon Web Services System

Gw
A standard employee or contractor account with minimum privileges is provisioned in a disabled state

A7
when a hiring manager submits his or her new employee or contractor onboarding request in Amazon’s
HR system. The account is automatically enabled after the employee’s record is activated in Amazon’s HR
system. First time passwords are set to a unique value and are required to be changed on first use (Control
AWSCA-2.1).

7
g1
Access Management

AWS employs the concept of least privilege, allowing only the necessary access for users to accomplish

Rw
their job function. User accounts are created to have minimal access. Access above these least privileges
requires appropriate and separate authorization.

Access to resources including Services, Hosts, Network devices, and Windows and UNIX groups is

ab
approved in Amazon’s proprietary permission management system by the appropriate owner or manager.
Requests for changes in access are captured in the Amazon permissions management tool audit log. When
changes in an employee’s job function occur, continued access must be approved to the resource or it will

gv
be automatically revoked (Control AWSCA-2.2).

Periodic Access Review

e9
Access control lists or permission groups granting access to critical infrastructure are reviewed for
appropriateness on a periodic basis. On a quarterly basis, AWS reviews the access to systems supporting
m

the infrastructure and network; explicit re-approval is required, or access to the resource is revoked. On
a semi-annual basis, AWS reviews the access to AWS accounts. When an internal user no longer has a
kc

required business need to access the operational management system, the user’s privileges and access to
the relevant systems are revoked (Control AWSCA-2.3).
I6

Access Removal
EK

Access is revoked when an employee’s record is terminated in Amazon’s HR system. Windows and UNIX
accounts are disabled, and Amazon’s permission management system removes the user from all systems
(Control AWSCA-2.4).
zz

Password Policy
n-

Access and administration of logical security for Amazon relies on user IDs, passwords and Kerberos to
authenticate users to services, resources and devices as well as to authorize the appropriate level of
ke

access for the user. AWS Security has established a password policy with required configurations and
expiration intervals. AWS has a credential monitoring and response process to monitor compromised
credentials for Amazon employees. Impacted user credentials are identified, tracked and rotated in a
-to

timely manner (Control AWSCA-2.5).

mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

36
 Section III – Description of the Amazon Web Services System

Gw
Remote Access

A7
AWS requires two-factor authentication over an approved cryptographic channel for authentication to
the internal AWS network from remote locations (Control AWSCA-2.6).

D.3 Logical Security

7
g1
Procedures and mechanisms are in place to appropriately restrict unauthorized internal and external
access to data, and access to customer content is appropriately segregated from other customers (Control
Objective 3: Logical Security).

Rw
APIs enable customers to articulate who has access to AWS services and resources (if resource-level
permissions are applicable to the service) that they own. AWS prevents customers from accessing AWS
resources that are not assigned to them via access permissions. User content is segregated by the service’s

ab
software. Content is only returned to individuals authorized to access the specified AWS service or
resource (if resource-level permissions are applicable to the service) (Control AWSCA-3.5).

gv
AWS performs Application Security (AppSec) reviews when needed for externally launched products,
services, and significant feature additions prior to launch to determine security risks are identified and
mitigated. As a part of the AppSec review, the Application Security team collects detailed information
e9
about the artifacts required for the review. The Application Security team tracks reviews against an
independently managed inventory of products and features to be released to ensure that none are
inadvertently launched before a completed review. As part of the security review, newly created or
m

modified IAM policies allowing end users to interact with launched updates are also reviewed. The
Application Security team then determines the granularity of review required based on the artifact’s
kc

design, threat model, and impact to AWS’ risk profile. During this process, they work with the service team
to identify, prioritize, and remediate security findings. The Application Security team provides their final
approval for launch only upon completion of the review (Control AWSCA-3.6). Penetration testing is
I6

performed as needed.
EK

AWS Network Security

The AWS Network consists of the internal data center facilities, servers, networking equipment and host
zz

software systems that are within AWS’ control and are used to provide the services.

The AWS network provides significant protection against traditional network security issues. The following
n-

are a few examples:

ke

• Distributed Denial of Service (DDoS) Attacks. AWS API endpoints are hosted on large, Internet-
scale infrastructure and use proprietary DDoS mitigation techniques. Additionally, AWS’ networks
are multi-homed across a number of providers to achieve Internet access diversity (Control
-to

AWSCA-8.1).
• Man in the Middle (MITM) Attacks. All of the AWS APIs are available via TLS/SSL-protected
endpoints, which provide server authentication. Amazon EC2 AMIs automatically generate new
m

SSH host certificates on first boot and log them to the instance’s console. Customers can then use
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

37
 Section III – Description of the Amazon Web Services System

Gw
the secure APIs to call the console and access the host certificates before logging into the instance
for the first time. Customers can use TLS/SSL for all of their interactions with AWS (Control

A7
AWSCA-3.11).
• IP Spoofing. The AWS-controlled, host-based firewall infrastructure will not permit an instance to
send traffic with a source IP or MAC address other than its own (Control AWSCA-3.10).

7
• Port Scanning. Unauthorized port scans by Amazon EC2 customers are a violation of the AWS

g1
Acceptable Use Policy. Violations of the AWS Acceptable Use Policy are taken seriously, and every
reported violation is investigated. Customers can report suspected abuse via the contacts
available on our website at: https://aws.amazon.com/contact-us/report-abuse/. Port scans of

Rw
Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon
EC2 instances are closed and are only opened by the customer. Customers’ strict management of
security groups can further mitigate the threat of port scans. Customers may request permission
to conduct vulnerability scans as required to meet specific compliance requirements. These scans

ab
must be limited to customers’ own instances and must not violate the AWS Acceptable Use Policy.
Advanced approval for these types of scans can be initiated by submitting a request via the
website at: https://aws.amazon.com/security/penetration-testing/.

gv
• Packet sniffing by other tenants. Virtual instances are designed to prevent other instances
running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual
e9
instance. While customers can place instances into promiscuous mode, the hypervisor will not
deliver any traffic to them that is not addressed to them. Even two virtual instances that are
owned by the same customer located on the same physical host cannot listen to each other’s
m
traffic. While Amazon EC2 does provide protection against one customer inadvertently or
maliciously attempting to view another’s data, as standard practice customers can encrypt
kc

sensitive traffic (Control AWSCA-3.10).

• Anti-virus software installed on workstations. Anti-virus software is deployed and running on

I6

Amazon corporate workstations. Client Engineering and Enterprise Engineering teams deploy
Anti-virus software at imaging to Amazon corporate workstations. Checks are in place to assure
EK

that Anti-virus software is installed, running and provide quarantining tooling that will isolate non-
compliant workstations from the network until remediation is affected (Control AWSCA-3.18).

In addition, firewall devices are configured to restrict access to production networks (Control AWSCA-
zz

3.1). The configurations of these firewall policies are maintained via an automatic push from a parent
server (Control AWSCA-3.2). All changes to the firewall policies are reviewed and approved (Control
n-

AWSCA-3.3).

AWS Security performs regular vulnerability scans on the host operating systems, web applications, and
ke

databases in the AWS environment using a variety of tools (Control AWSCA-3.4). AWS Security teams also
subscribe to newsfeeds for applicable vendor flaws and proactively monitor vendors’ websites and other
relevant outlets for new patches. AWS customers also have the ability to report issues to AWS via the
-to

AWS Vulnerability Reporting website at: https://aws.amazon.com/security/vulnerability-reporting/.

AWS employs virtualization techniques including virtual networking devices and host-based firewalls,
m

which control traffic flow restrictions via Access Control Lists (ACLs) in EC2 and VPC, and as EC2 instances
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

38
 Section III – Description of the Amazon Web Services System

Gw
which present a variety of operating systems. It is the responsibility of the customers to appropriately
configure server resources within the customer VPC.

A7
External Access Control

External access to services is configurable by customers via AWS Identity and Access Management (IAM).

7
IAM enables customers to securely control access to AWS services and resources for their users. Using

g1
IAM, customers can create and manage AWS users, roles, groups, and create and attach policies to those
entities with granular permissions that allow and deny access to AWS resources. Security Groups act as
firewalls and may also be used to control access to some in-scope applications such as VPC, EFS,

Rw
ElastiCache, and DMS. These groups default to a “deny all” access mode and customers must specifically
authorize network connectivity. This can be achieved by authorizing a network IP range or authorizing an
existing Security Group (Control AWSCA-3.5).

ab
Interacting with the Service

AWS provides several methods of interacting with the services in the form of APIs, Software Development

gv
Kits (SDKs), the AWS Management Console, and the AWS command line interface. All of the methods
ultimately rely on the public APIs and follow standard AWS authentication and authorization practices.
e9
Authenticated calls to AWS services are signed by either an X.509 certificate and/or the customer's AWS
Secret Access Key. When using the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to
make requests to AWS, these tools automatically sign the requests with the access key specified by the
m

customer when the tools were configured. Manually created requests must be signed using Signature
Version 4 or Signature Version 2. All AWS services support Signature Version 4, except Amazon SimpleDB,
kc

which requires Signature Version 2. For AWS services that support both versions, it is recommended to
use Signature Version 4.
I6

Internal Logging
EK

AWS maintains centralized repositories that provide core log archival functionality available for internal
use by AWS service teams. Leveraging S3 for high scalability, durability, and availability allows service
teams to collect, archive, and view service logs in a central log service.
zz

Production hosts at AWS are deployed using master baseline images (Control AWSCA-9.4). The baseline
images are equipped with a standard set of configurations and functions including logging and monitoring
n-

for security purposes.

ke

These logs are stored and accessible by AWS security teams for root cause analysis in the event of a
suspected security incident. Logs for a given host are also available to the team that owns that host in
case the team needs to search their logs for operational and security analysis.
-to

Encryption
m

Amazon cryptographic policy defines the appropriate cryptography implementation through the Amazon
cryptographic standard. The cryptography standard is based on FIPS standards, NIST standards, and/or
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

39
 Section III – Description of the Amazon Web Services System

Gw
the Commercial National Security Algorithm Suite (Suite B). Implementation guidance including
appropriate encryption key length and algorithm specific parameters are provided to service teams

A7
through application security reviews. Additionally, AWS Security Engineers within the cryptography
review program review the appropriate use of cryptography within AWS. In addition, API calls can be
encrypted with TLS/SSL to maintain confidentiality. It is the customer’s responsibility to appropriately
configure and manage usage and implementation of available encryption options to meet compliance

7
requirements.

g1
Each production firmware version for the AWS Key Management Service HSM (Hardware Security
Module) has been certified with NIST under the FIPS 140-2 level 3 standard or is in the process of being

Rw
certified under the FIPS 140-3 level 3 (Control AWSCA-4.14). The AWS KMS team works with a National
Voluntary Laboratory Accreditation Program-certified (NVLAP) FIPS consulting lab (Example: Acumen)
who in turn works with NIST to get new HSM firmware versions certified. Every new firmware version that
is deployed into production has been submitted for validation with the lab; and, after validation will be

ab
submitted to NIST’s Cryptographic Module Validation Program (CMVP) to request its FIPS 140-3 review
and certification.

gv
Deletion of Customer Content

AWS provides customers the ability to delete their content. Once successfully removed, the data is
e9
rendered unreadable (Control AWSCA-7.7). For services that utilize ephemeral storage, such as EC2, the
ephemeral storage is deleted once the EC2 instance is deleted.
m

D.4 AWS Service Descriptions

kc

AWS Amplify
AWS Amplify is a set of tools and services that can be used together or on their own, to help front-end
web and mobile developers build scalable full stack applications, powered by AWS. With Amplify,
I6

customers can configure app backend and connect applications in minutes, deploy static web apps in a
few clicks and easily manage app content outside of AWS console. Amplify supports popular web
EK

frameworks including JavaScript, React, Angular, Vue, Next.js, and mobile platforms including Android,
iOS, React Native, Ionic, and Flutter.
zz

AWS Application Migration Service

AWS Application Migration Service is the primary service that AWS recommends for lift-and-shift
applications to AWS. The service minimizes time-intensive, error-prone manual processes by
n-

automatically converting customers’ source servers from physical, virtual, or cloud infrastructure to run
natively on AWS. Customers are able to use the same automated process to migrate a wide range of
ke

applications to AWS without making changes to applications, their architecture, or the migrated servers.

Amazon API Gateway

-to

Amazon API Gateway is a service that makes it easy for developers to publish, maintain, monitor, and
secure APIs at any scale. With Amazon API Gateway, customers can create a custom API to code running
in AWS Lambda, and then call the Lambda code from customers' API. Amazon API Gateway can execute
m

AWS Lambda code in a customer’s account, start AWS Step Functions state machines, or make calls to
AWS Elastic Beanstalk, Amazon EC2, or web services outside of AWS with publicly accessible HTTP
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

40
 Section III – Description of the Amazon Web Services System

Gw
endpoints. Using the Amazon API Gateway console, customers can define customers' REST API and its
associated resources and methods, manage customers' API lifecycle, generate customers' client SDKs, and

A7
view API metrics.

AWS AppFabric (Effective August 15, 2023)

AWS AppFabric is a no-code service that connects multiple software as a service (SaaS) applications for

7
better security, management, and productivity. AppFabric aggregates and normalizes SaaS data (e.g., user

g1
event logs, user access) across SaaS applications without the need to write custom data integrations.

Amazon AppFlow

Rw
Amazon AppFlow is an integration service that enables customers to securely transfer data between
Software-as-a-Service (SaaS) applications like Salesforce, SAP, Zendesk, Slack, and ServiceNow, and AWS
services like Amazon S3 and Amazon Redshift. With AppFlow, customers can run data flows at enterprise
scale at the frequency they choose - on a schedule, in response to a business event, or on demand.

ab
Customers are able to configure data transformation capabilities like filtering and validation to generate
rich, ready-to-use data as part of the flow itself, without additional steps.

gv
AWS App Mesh
AWS App Mesh is a service mesh that provides application-level networking which allows customer
services to communicate with each other across multiple types of compute infrastructure. App Mesh gives
e9
customers end-to-end visibility and high availability for their applications. AWS App Mesh makes it easy
to run services by providing consistent visibility and network traffic controls, which helps to deliver secure
services. App Mesh removes the need to update application code to change how monitoring data is
m

collected or traffic is routed between services. App Mesh configures each service to export monitoring
data and implements consistent communications control logic across applications.
kc

AWS App Runner

AWS App Runner is a service that makes it easy for developers to quickly deploy containerized web
I6

applications and APIs, at scale and with no prior infrastructure experience required. The service provides
a simplified infrastructure-less abstraction for multi-concurrent web applications and API-based services.
EK

With App Runner, infrastructure components like build, load balancers, certificates and application
replicas are managed by AWS. Customers simply provide their source-code (or a pre-built container
image) and get a service endpoint URL in return against which requests can be made.
zz

Amazon AppStream 2.0

Amazon AppStream 2.0 is an application streaming service that provides customers instant access to their
n-

desktop applications from anywhere. Amazon AppStream 2.0 simplifies application management,
improves security, and reduces costs by moving a customer’s applications from their users’ physical
ke

devices to the AWS Cloud. The Amazon AppStream 2.0 streaming protocol provides customers a
responsive, fluid performance that is almost indistinguishable from a natively installed application. With
Amazon AppStream 2.0, customers can realize the agility to support a broad range of compute and storage
-to

requirements for their applications.

AWS AppSync
m

AWS AppSync is a service that allows customers to easily develop and manage GraphQL APIs. Once
deployed, AWS AppSync automatically scales the API execution engine up and down to meet API request
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

41
 Section III – Description of the Amazon Web Services System

Gw
volumes. AWS AppSync offers GraphQL setup, administration, and maintenance, with high availability
serverless infrastructure built in.

A7
AWS Artifact (Effective August 15, 2023)
AWS Artifact is a self-service audit artifact retrieval portal that provides customers with on-demand access
to AWS’ compliance documentation and AWS agreements. Customers can use AWS Artifact Reports to

7
download AWS security and compliance documents, such as AWS ISO certifications, Payment Card

g1
Industry (PCI), and System and Organization Control (SOC) reports. Customers can use AWS Artifact
Agreements to review, accept, and track the status of AWS agreements.

Rw
Amazon Athena
Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using
standard SQL. Athena is serverless, so there is no infrastructure for customers to manage. Athena is highly
available; and executes queries using compute resources across multiple facilities and multiple devices in

ab
each facility. Amazon Athena uses Amazon S3 as its underlying data store, making customers’ data highly
available and durable.

gv
AWS Audit Manager
AWS Audit Manager helps customers continuously audit AWS usage to simplify how customers manage
risk and compliance with regulations and industry standards. AWS Audit Manager makes it easier to
e9
evaluate whether policies, procedures, and activities—also known as controls—are operating as
intended. The service offers prebuilt frameworks with controls that are mapped to well-known industry
standards and regulations, full customization of frameworks and controls, and automated collection and
m

organization of evidence as designed by each control requirement.

kc

Amazon Augmented AI (excludes Public Workforce and Vendor Workforce for all features)
Amazon Augmented AI (A2I) is a machine learning service which makes it easy to build the workflows
required for human review. Amazon A2I brings human review to all developers, removing the
I6

undifferentiated heavy lifting associated with building human review systems or managing large numbers
of human reviewers whether it runs on AWS or not. The public and vendor workforce options of this
EK

service are not in scope for purposes of this report.

Amazon EC2 Auto Scaling

zz

Amazon EC2 Auto Scaling launches/terminates instances on a customer's behalf according to conditions
customers define, such as schedule, changing metrics like average CPU utilization, or health of the
instance as determined by EC2 or ELB health checks. It allows customers to have balanced compute across
n-

multiple AZs and scale their fleet based on usage.

ke

AWS Backup
AWS Backup is a backup service that makes it easy to centralize and automate the back up of data across
AWS services in the cloud as well as on premises using the AWS Storage Gateway. Using AWS Backup, the
-to

customers can centrally configure backup policies and monitor backup activity for AWS resources, such as
Amazon EBS volumes, Amazon RDS databases, Amazon DynamoDB tables, Amazon EFS file systems, and
AWS Storage Gateway volumes. AWS Backup automates and consolidates backup tasks previously
m

performed service-by-service, removing the need to create custom scripts and manual processes.
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

42
 Section III – Description of the Amazon Web Services System

Gw
AWS Batch
AWS Batch enables developers, scientists, and engineers to run batch computing jobs on AWS. AWS Batch

A7
dynamically provisions the optimal quantity and type of compute resources (e.g., CPU or memory
optimized instances) based on the volume and specific resource requirements of the batch jobs
submitted. AWS Batch plans, schedules, and executes customers’ batch computing workloads across the
full range of AWS compute services and features, such as Amazon EC2 and Spot Instances.

7
g1
Amazon Bedrock (Effective August 15, 2023)
Amazon Bedrock is a fully managed service that makes foundation models (FMs) from Amazon and
leading Artificial Intelligence (AI) companies available through an API, so customers can choose from

Rw
various FMs to find the model that's best suited for their use case. With the Amazon Bedrock serverless
experience, customers can quickly get started, easily experiment with FMs, privately customize FMs with
their own data, and seamlessly integrate and deploy them into customer applications using AWS tools

ab
and capabilities. Agents for Amazon Bedrock are fully managed and make it easier for developers to
create generative-AI applications that can deliver up-to-date answers based on proprietary knowledge
sources and complete tasks for a wide range of use cases. The Foundational Models (FMs) from Amazon

gv
and leading AI companies, made available by Amazon Bedrock, are not included in the design of the
controls described in the SOC report. e9
Amazon Braket
Amazon Braket, the quantum computing service of AWS, is designed to help accelerate scientific research
and software development for quantum computing. Amazon Braket provides everything customers need
m

to build, test, and run quantum programs on AWS, including access to different types of quantum
computers and classical circuit simulators and a unified development environment for building and
kc

executing quantum circuits. Amazon Braket also manages the classical infrastructure required for the
execution of hybrid quantum-classical algorithms. When customers choose to interact with quantum
computers provided by third-parties, Amazon Braket anonymizes the content, so that only content
I6

necessary to process the quantum task is sent to the quantum hardware provider. No AWS account
information is shared and customer data is not stored outside of AWS.
EK

AWS Certificate Manager (ACM)

AWS Certificate Manager (ACM) is a service that lets the customer provision, manage, and deploy public
and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services
zz

and their internal connected resources. SSL/TLS certificates are used to secure network communications
and establish the identity of websites over the Internet as well as resources on private networks. AWS
n-

Certificate Manager removes the manual process of purchasing, uploading, and renewing SSL/TLS
certificates.
ke

AWS Chatbot
AWS Chatbot is an AWS service that enables DevOps and software development teams to use Slack or
-to

Amazon Chime chat rooms to monitor and respond to operational events in their AWS Cloud. AWS
Chatbot processes AWS service notifications from Amazon Simple Notification Service (Amazon SNS), and
forwards them to Slack or Amazon Chime chat rooms so teams can analyze and act on them. Teams can
respond to AWS service events from a chat room where the entire team can collaborate, regardless of
m

location.
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

43
 Section III – Description of the Amazon Web Services System

Gw
Amazon Chime

A7
Amazon Chime is a communications service that lets customers meet, chat, and place business calls inside
and outside organizations, all using a single application. With Amazon Chime, customers can conduct and
attend online meetings with HD video, audio, screen sharing, meeting chat, dial—in numbers, and in-room
video conference support. Customer can use chat and chat rooms for persistent communications across

7
desktop and mobile devices. Customers are also able to administer enterprise users, manage policies, and

g1
set up SSO or other advanced features in minutes using Amazon Chime management console.

Amazon Chime SDK

Rw
The Amazon Chime SDK is a set of real-time communications components that customers can use to
quickly add messaging, audio, video, and screen sharing capabilities to their web or mobile applications.
Customers can use the Amazon Chime SDK to build real-time media applications that can send and receive
audio and video and allow content sharing. The Amazon Chime SDK works independently of any Amazon

ab
Chime administrator accounts and does not affect meetings hosted on Amazon Chime.

AWS Clean Rooms (Effective August 15, 2023)

gv
AWS Clean Rooms helps customers and their partners more easily and securely collaborate and analyze
their collective datasets—without sharing or copying one another’s underlying data. With AWS Clean
Rooms, customers can create a secure data clean room in minutes and collaborate with any other
e9
company on the AWS Cloud to generate unique insights about advertising campaigns, investment
decisions, and research and development. With AWS Clean Rooms, customers can analyze data with up
to four other parties in a single collaboration. Customers can securely generate insights from multiple
m

companies without having to write code. Customers can create a clean room, invite companies they want
to collaborate with, and select which participants can run analyses within the collaboration.
kc

AWS Cloud9
AWS Cloud9 is an integrated development environment, or IDE. The AWS Cloud9 IDE offers a rich code-
I6

editing experience with support for several programming languages and runtime debuggers, and a built-
in terminal. It contains a collection of tools that customers use to code, build, run, test, and debug
EK

software, and helps customers release software to the cloud. Customers access the AWS Cloud9 IDE
through a web browser. Customers can configure the IDE to their preferences. Customers can switch color
themes, bind shortcut keys, enable programming language-specific syntax coloring and code formatting,
zz

and more.

Amazon Cloud Directory

n-

Amazon Cloud Directory enables customers to build flexible cloud-native directories for organizing
hierarchies of data along multiple dimensions. Customers also can create directories for a variety of use
ke

cases, such as organizational charts, course catalogs, and device registries. For example, customers can
create an organizational chart that can be navigated through separate hierarchies for reporting structure,
location, and cost center.
-to

AWS Cloud Map

AWS Cloud Map is a cloud resource discovery service which allows customers to define custom names for
m

their application resources. Cloud Map maintains the location of these changing resources to increase
application availability.
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

44
 Section III – Description of the Amazon Web Services System

Gw
Customers can register any application resource, such as databases, queues, microservices, and other

A7
cloud resources, with custom names. Cloud Map then constantly checks the health of resources to make
sure the location is up-to-date. The application can then query the registry for the location of the
resources needed based on the application version and deployment environment.

7
AWS CloudFormation

g1
AWS CloudFormation is a service to simplify provisioning of AWS resources such as Auto Scaling groups,
ELBs, Amazon EC2, Amazon VPC, Amazon Route 53, and others. Customers author templates of the
infrastructure and applications they want to run on AWS, and the AWS CloudFormation service

Rw
automatically provisions the required AWS resources and their relationships as defined in these
templates.

Amazon CloudFront (excludes content delivery through Amazon CloudFront Embedded Point of

ab
Presences)
Amazon CloudFront is a fast content delivery network (CDN) web service that securely delivers data,
videos, applications and APIs to customers globally with low latency and high-transfer speeds. CloudFront

gv
offers the most advanced security capabilities, including field level encryption and HTTPS support,
seamlessly integrated with AWS Shield, AWS Web Application Firewall and Route 53 to protect against
multiple types of attacks including network and application layer DDoS attacks. These services co-reside
e9
at edge networking locations – globally scaled and connected via the AWS network backbone – providing
a more secure, performant, and available experience for the users.
m

CloudFront delivers customers' content through a worldwide network of Edge locations. When an end
user requests content that customers serve with CloudFront, the user is routed to the Edge location that
kc

provides the lowest latency, so content is delivered with the best possible performance. If the content is
already in that Edge location, CloudFront delivers it immediately.
I6

AWS CloudHSM
AWS CloudHSM is a service that allows customers to use dedicated HSMs within the AWS cloud. AWS
EK

CloudHSM is designed for applications where the use of HSMs for encryption and key storage is
mandatory.
zz

AWS acquires these production HSM devices securely using the tamper evident authenticable (TEA) bags
from the vendors. These TEA bag serial numbers and production HSM serial numbers are verified against
data provided out-of-band by the manufacturer and logged by approved individuals in tracking systems
n-

(Control AWSCA-4.15).
ke

AWS CloudHSM allows customers to store and use encryption keys within HSMs in AWS data centers.
With AWS CloudHSM, customers maintain full ownership, control, and access to keys and sensitive data
while Amazon manages the HSMs in close proximity to customer applications and data. All HSM media is
-to

securely decommissioned and physically destroyed, verified by two personnel, prior to leaving AWS
Secure Zones (Control AWSCA-5.13).
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

45
 Section III – Description of the Amazon Web Services System

Gw
AWS CloudShell
AWS CloudShell is a browser-based shell used to securely manage, explore, and interact with your AWS

A7
resources. CloudShell is pre-authenticated with customer console credentials. Common development and
operations tools are pre-installed, so no local installation or configuration is required. With CloudShell,
customers can run scripts with the AWS Command Line Interface (AWS CLI), experiment with AWS service
APIs using the AWS SDKs, or use a range of other tools to be productive. Customers can use CloudShell

7
right from their browser.

g1
AWS CloudTrail
AWS CloudTrail is a web service that records AWS activity for customers and delivers log files to a specified

Rw
Amazon S3 bucket. The recorded information includes the identity of the API caller, the time of the API
call, the source IP address of the API caller, the request parameters, and the response elements returned
by the AWS service.

ab
AWS CloudTrail provides a history of AWS API calls for customer accounts, including API calls made via the
AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS
CloudFormation). The AWS API call history produced by AWS CloudTrail enables security analysis, resource

gv
change tracking, and compliance auditing.

Amazon CloudWatch
e9
Amazon CloudWatch is a monitoring and management service built for developers, system operators, site
reliability engineers (SRE), and IT managers. CloudWatch provides the customers with data and actionable
insights to monitor their applications, understand and respond to system-wide performance changes,
m

optimize resource utilization, and get a unified view of operational health. CloudWatch collects
monitoring and operational data in the form of logs, metrics, and events, providing the customers with a
kc

unified view of AWS resources, applications and services that run on AWS, and on-premises servers.

Amazon CloudWatch Logs

I6

Amazon CloudWatch Logs is a service used to monitor, store, and access log files from Amazon Elastic
Compute Cloud (EC2) instances, AWS CloudTrail, Route 53 and other sources. CloudWatch Logs enables
EK

customers to centralize the logs from systems, applications and AWS services used in a single, highly
scalable service. Customers can easily view them, search for patterns, filter on specific fields or archive
them securely for future analysis. CloudWatch Logs enables customers to view logs, regardless of their
zz

source, as a single and consistent flow of events ordered by time, and to query them based on specific
criteria.
n-

AWS CodeBuild
AWS CodeBuild is a build service that compiles source code, runs tests, and produces software packages
ke

that are ready to deploy. CodeBuild scales continuously and processes multiple builds concurrently, so
that customers’ builds are not left waiting in a queue. Customers can use prepackaged build environments
or can create custom build environments that use their own build tools. AWS CodeBuild eliminates the
-to

need to set up, patch, update, and manage customers’ build servers and software.

AWS CodeCommit
m

AWS CodeCommit is a source control service that hosts secure Git-based repositories. It allows teams to
collaborate on code in a secure and highly scalable ecosystem. CodeCommit eliminates the need for
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

46
 Section III – Description of the Amazon Web Services System

Gw
customers to operate their own source control system or worry about scaling their infrastructure.
CodeCommit can be used to securely store anything from source code to binaries, and it works seamlessly

A7
with the existing Git tools.

AWS CodeDeploy
AWS CodeDeploy is a deployment service that automates software deployments to a variety of compute

7
services such as Amazon EC2, AWS Fargate, AWS Lambda, and the customer’s on-premises servers. AWS

g1
CodeDeploy allows customers to rapidly release new features, helps avoid downtime during application
deployment, and handles the complexity of updating the applications.

Rw
AWS CodePipeline
AWS CodePipeline is a continuous delivery service that helps customers automate release pipelines for
fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and
deploy phases of customers release process every time there is a code change, based on the release model

ab
defined by the customer. This enables customers to rapidly and reliably deliver features and updates.
Customers can easily integrate AWS CodePipeline with third-party services such as GitHub or with their
own custom plugin.

gv
Amazon CodeWhisperer (Effective February 15, 2024)
Amazon CodeWhisperer is a productivity tool that generates real-time, single-line or full-function code
e9
suggestions in the customers’ integrated development environment (IDE) and in the command line to help
quickly build software. Customers can quickly and easily accept the top suggestion, view more
suggestions, or continue writing their own code.
m

Amazon Cognito
kc

Amazon Cognito lets customers add user sign-up, sign-in, and manage permissions for mobile and web
applications. Customers can create their own user directory within Amazon Cognito. Customers can also
choose to authenticate users through social identity providers such as Facebook, Twitter, or Amazon; with
I6

SAML identity solutions; or by using customers' own identity system. In addition, Amazon Cognito enables
customers to save data locally on users' devices, allowing customers' applications to work even when the
EK

devices are offline. Customers can then synchronize data across users' devices so that their app
experience remains consistent regardless of the device they use.
zz

Amazon Comprehend
Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find
insights and relationships in text. Amazon Comprehend uses machine learning to help the customers
n-

uncover insights and relationships in their unstructured data without machine learning experience. The
service identifies the language of the text; extracts key phrases, places, people, brands, or events;
ke

understands how positive or negative the text is; analyzes text using tokenization and parts of speech;
and automatically organizes a collection of text files by topic.
-to

Amazon Comprehend Medical

Amazon Comprehend Medical is a HIPAA-eligible natural language processing (NLP) service that facilitates
the use of machine learning to extract relevant medical information from unstructured text. Using
m

Amazon Comprehend Medical, customers can quickly and accurately gather information, such as medical
condition, medication, dosage, strength, and frequency from a variety of sources like doctors’ notes,
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

47
 Section III – Description of the Amazon Web Services System

Gw
clinical trial reports, and patient health records. Amazon Comprehend Medical uses advanced machine
learning models to accurately and quickly identify medical information, such as medical conditions and

A7
medications, and determines their relationship to each other, for instance, medicine dosage and strength.

AWS Config
AWS Config enables customers to assess, audit, and evaluate the configurations of their AWS resources.

7
AWS Config continuously monitors and records AWS resource configurations and allows customers to

g1
automate the evaluation of recorded configurations against desired configurations. With AWS Config,
customers can review changes in configurations and relationships between AWS resources, dive into
detailed resource configuration histories, and determine overall compliance against the configurations

Rw
specified within the customers’ internal guidelines. This enables customers to simplify compliance
auditing, security analysis, change management, and operational troubleshooting.

Amazon Connect

ab
Amazon Connect is an easy-to-use omnichannel cloud contact center that helps customers provide
superior customer service across voice, chat, and tasks at lower cost than traditional contact center
systems. Amazon Connect simplifies contact center operations, improves agent efficiency and lowers

gv
costs. Customers can setup a contact center in minutes that can scale to support millions of customers
from the office or as a virtual contact center. e9
AWS Control Tower
AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS
environment based on AWS’ best practices established through AWS’ experience working with thousands
m

of enterprises as they move to the cloud. With AWS Control Tower, builders can provision new AWS
accounts that conform to customer policies. If customers are building a new AWS environment, starting
kc

out on the journey to AWS, starting a new cloud initiative, or are completely new to AWS, Control Tower
will help customers get started quickly with governance and AWS’ best practices built-in.
I6

Amazon DataZone (Effective February 15, 2024)

Amazon DataZone is a data management service that makes it faster and easier for customers to catalog,
EK

discover, share, and govern data stored across AWS, on premises, and third-party sources. With Amazon
DataZone, engineers, data scientists, product managers, analysts, and business users can quickly access
data throughout an organization so that they can discover, use, and collaborate to derive data-driven
zz

insights. Administrators and data owners who oversee an organization's data assets can easily manage
and govern access to data. Amazon DataZone provides built-in workflows for data consumers to request
access to data and for data owners to approve the access.
n-

AWS Data Exchange

ke

AWS Data Exchange makes it easy to find, subscribe to, and use third-party data in the cloud. Qualified
data providers include category-leading brands. Once subscribed to a data product, customers can use
the AWS Data Exchange API to load data directly into Amazon S3 and then analyze it with a wide variety
-to

of AWS analytics and machine learning services. For data providers, AWS Data Exchange makes it easy to
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

48
 Section III – Description of the Amazon Web Services System

Gw
reach the millions of AWS customers migrating to the cloud by removing the need to build and maintain
infrastructure for data storage, delivery, billing, and entitling.

A7
AWS Database Migration Service (DMS)
AWS Database Migration Service (DMS) is a cloud service that enables customers to migrate relational
databases, data warehouses, NoSQL databases, and other types of data stores. AWS DMS can be used to

7
migrate data into the AWS Cloud, between on-premises instances (through AWS Cloud setup), or between

g1
combinations of cloud and on-premises setups. The service supports homogenous migrations within one
database platform, as well as heterogeneous migrations between different database platforms. AWS
Database Migration Service can also be used for continuous data replication with high-availability.

Rw
AWS DataSync
AWS DataSync is an online data transfer service that simplifies, automates and accelerates moving data
between on-premises storage and AWS Storage services, as well as between AWS Storage services.

ab
DataSync can copy data between Network File System (NFS), Server Message Block (SMB) file servers, self-
managed object storage, AWS Snowcone, Amazon Simple Storage Service (Amazon S3) buckets, Amazon
EFS file systems and Amazon FSx for Windows File Server file systems. DataSync automatically handles

gv
many of the tasks related to data transfers that can slow down migrations or burden customers’ IT
operations, including running customers own instances, handling encryption, managing scripts, network
optimization, and data integrity validation.
e9
Amazon Detective
Amazon Detective allows customers to easily analyze, investigate, and quickly identify the root cause of
m

potential security issues or suspicious activity. Amazon Detective collects log data from customer’s AWS
resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data
kc

that enables customers to conduct faster and more efficient security investigations. AWS Security services
can be used to identify potential security issues or findings.
I6

Amazon Detective can analyze trillions of events from multiple data sources and automatically creates a
unified, interactive view of the resources, users, and the interactions between them over time. With this
EK

unified view, customers can visualize all the details and context in one place to identify the underlying
reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.
zz

Amazon DevOps Guru

Amazon DevOps Guru is a service powered by machine learning (ML) that is designed to improve an
application’s operational performance and availability. DevOps Guru helps detect behaviors that deviate
n-

from normal operating patterns so customers can identify operational issues before they impact them.
ke

DevOps Guru uses ML models informed by years of Amazon.com and AWS operational excellence to
identify anomalous application behavior (for example, increased latency, error rates, resource constraints,
and others) and helps surface critical issues that could cause potential outages or service disruptions.
-to

When DevOps Guru identifies a critical issue, it automatically sends an alert and provides a summary of
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

49
 Section III – Description of the Amazon Web Services System

Gw
related anomalies, the likely root cause, and context for when and where the issue occurred. When
possible, DevOps Guru also helps provide recommendations on how to remediate the issue.

A7
AWS Direct Connect
AWS Direct Connect enables customers to establish a dedicated network connection between their
network and one of the AWS Direct Connect locations. Using AWS Direct Connect, customers can establish

7
private connectivity between AWS and their data center, office, or colocation environment.

g1
AWS Directory Service (excludes Simple AD)
AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active

Rw
Directory (AD), enables customers' directory-aware workloads and AWS resources to use managed Active
Directory in the AWS Cloud. AWS Managed Microsoft AD stores directory content in encrypted Amazon
Elastic Block Store volumes using encryption keys. Data in transit to and from Active Directory clients is
encrypted when it travels through Lightweight Directory Access Protocol (LDAP) over customers' Amazon

ab
Virtual Private Cloud (VPC) network. If an Active Directory client resides in an off-cloud network, the traffic
travels to customers' VPC by a virtual private network link or an AWS Direct Connect link.

gv
Amazon DocumentDB (with MongoDB compatibility)
Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, and highly available document
e9
database service that supports MongoDB workloads. Amazon DocumentDB is designed from the ground-
up to give customers the performance, scalability, and availability customers need when operating
mission-critical MongoDB workloads at scale. Amazon DocumentDB implements the Apache 2.0 open
m

source MongoDB 3.6 API by emulating the responses that a MongoDB client expects from a MongoDB
server, allowing customers to use their existing MongoDB drivers and tools with Amazon DocumentDB.
kc

Amazon DocumentDB uses a distributed, fault-tolerant, self-healing storage system that auto-scales up to
64 TB per database cluster.
I6

Amazon DynamoDB
Amazon DynamoDB is a managed NoSQL database service. Amazon DynamoDB enables customers to
EK

offload to AWS the administrative burdens of operating and scaling distributed databases such as
hardware provisioning, setup and configuration, replication, software patching, and cluster scaling.

Customers can create a database table that can store and retrieve data and serve any requested traffic.
zz

Amazon DynamoDB automatically spreads the data and traffic for the table over a sufficient number of
servers to handle the request capacity specified and the amount of data stored, while maintaining
n-

consistent, fast performance. All data items are stored on Solid State Drives (SSDs) and are automatically
replicated across multiple AZs in a region.
ke

Amazon DynamoDB Accelerator (DAX) (Effective February 15, 2024)

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available caching service built for Amazon
DynamoDB. DAX delivers up to a 10 times performance improvement—from milliseconds to
-to

microseconds—even at millions of requests per second. DAX does the heavy lifting required to add in-
memory acceleration to your DynamoDB tables, without requiring developers to manage cache
invalidation, data population, or cluster management.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

50
 Section III – Description of the Amazon Web Services System

Gw
EC2 Image Builder
EC2 Image Builder makes it easier to automate the creation, management, and deployment of

A7
customized, secure, and up-to-date “golden” server images that are pre-installed and pre-configured with
software and settings to meet specific IT standards.

AWS Elastic Beanstalk

7
AWS Elastic Beanstalk is an application container launch program for customers to launch and scale their

g1
applications on top of AWS. Customers can use AWS Elastic Beanstalk to create new environments using
Elastic Beanstalk curated programs and their applications, deploy application versions, update application
configurations, rebuild environments, update AWS configurations, monitor environment health and

Rw
availability, and build on top of the scalable infrastructure provided by underlying services such as Auto
Scaling, Elastic Load Balancing, Amazon EC2, Amazon VPC, Amazon Route 53, and others.

Amazon Elastic Block Store (EBS)

ab
Amazon Elastic Block Store (EBS) provides persistent block storage volumes for use with Amazon EC2
instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its AZ to protect
customers from component failure. Amazon EBS allows customers to create storage volumes from 1 GB

gv
to 16 TB that can be mounted as devices by Amazon EC2 instances. Storage volumes behave like raw,
unformatted block devices, with user supplied device names and a block device interface. Customers can
create a file system on top of Amazon EBS volumes, or use them in any other way one would use a block
e9
device (e.g., a hard drive).

Amazon EBS volumes are presented as raw unformatted block devices that have been wiped prior to being
m

made available for use. Wiping occurs before reuse. If customers have procedures requiring that all data
be wiped via a specific method, customers can conduct a wipe procedure prior to deleting the volume for
kc

compliance with customer requirements. Amazon EBS includes Data Lifecycle Manager, which provides a
simple, automated way to back up data stored on Amazon EBS volumes.
I6

Amazon Elastic Compute Cloud (EC2)

Amazon Elastic Compute Cloud (EC2) is Amazon’s Infrastructure as a Service (IaaS) offering, which
EK

provides scalable computing capacity using server instances in AWS’ data centers. Amazon EC2 is designed
to make web-scale computing easier by enabling customers to obtain and configure capacity with minimal
friction. Customers create and launch instances, which are virtual machines that are available in a wide
zz

variety of hardware and software configurations.

Security within Amazon EC2 is provided on multiple levels: the operating system (OS) of the host layer,
n-

the virtual instance OS or guest OS, a firewall, and signed API calls. Each of these items builds on the
capabilities of the others. This helps prevent data contained within Amazon EC2 from being intercepted
ke

by unauthorized systems or users and to provide Amazon EC2 instances themselves security without
sacrificing flexibility of configuration. The Amazon EC2 service utilizes a hypervisor to provide memory
and CPU isolation between virtual machines and controls access to network, storage, and other devices,
-to

and maintains strong isolation between guest virtual machines. Independent auditors regularly assess the
security of Amazon EC2 and penetration teams regularly search for new and existing vulnerabilities and
attack vectors.
m

AWS prevents customers from accessing physical hosts or instances not assigned to them by filtering
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

51
 Section III – Description of the Amazon Web Services System

Gw
through the virtualization software (Control AWSCA-3.12).

A7
Amazon EC2 provides a complete firewall solution, referred to as a Security Group; this mandatory
inbound firewall is configured in a default deny-all mode and Amazon EC2 customers must explicitly open
the ports needed to allow inbound traffic (Control AWSCA-3.9).

7
Amazon provides a Time Sync function for time synchronization in EC2 Linux instances with the

g1
Coordinated Universal Time (UTC). It is delivered over the Network Time Protocol (NTP) and uses a fleet
of redundant satellite-connected and atomic clocks in each region to provide a highly accurate reference
clock via the local 169.254.169.123 IP address. Irregularities in the Earth’s rate of rotation that cause UTC

Rw
to drift with respect to the International Celestial Reference Frame (ICRF), by an extra second, are called
leap second. Time Sync addresses this clock drift by smoothing out leap seconds over a period of time
(commonly called leap smearing) which makes it easy for customer applications to deal with leap seconds
(Control AWSCA-7.10).

ab
Amazon Elastic Container Registry (ECR)
Amazon Elastic Container Registry is a Docker container image registry that makes it easy for developers

gv
to store, manage, and deploy Docker container images. Amazon Elastic Container Registry is integrated
with Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS).
e9
Amazon Elastic Container Service [both Fargate and EC2 launch types]
Amazon Elastic Container Service is a highly scalable, high performance container management service
that supports Docker containers and allows customers to easily run applications on a managed cluster of
m

Amazon EC2 instances. Amazon Elastic Container Service eliminates the need for customers to install,
operate, and scale customers' own cluster management infrastructure. With simple API calls, customers
kc

can launch and stop Docker-enabled applications, query the complete state of customers' clusters, and
access many familiar features like security groups, Elastic Load Balancing, EBS volumes, and IAM roles.
Customers can use Amazon Elastic Container Service to schedule the placement of containers across
I6

customers' clusters based on customers' resource needs and availability requirements.

EK

AWS Elastic Disaster Recovery

AWS Elastic Disaster Recovery minimizes downtime and data loss with the recovery of on-premises and
cloud-based applications using affordable storage, minimal compute, and point-in-time recovery.
zz

Customers can set up AWS Elastic Disaster Recovery on their source servers to initiate secure data
replication. Customer content is replicated to a staging area subnet in their AWS account, in the AWS
Region they select. The staging area design reduces costs by using affordable storage and minimal
n-

compute resources to maintain ongoing replication. Customers can perform non-disruptive tests to
confirm that implementation is complete. During normal operation, customers can maintain readiness by
ke

monitoring replication and periodically performing non-disruptive recovery and failback drills. If
customers need to recover applications, they can launch recovery instances on AWS within minutes, using
the most up-to-date server state or a previous point in time.
-to

Amazon Elastic Kubernetes Service (EKS) [both Fargate and EC2 launch types]
Amazon Elastic Kubernetes Service (EKS) makes it easy to deploy, manage, and scale containerized
m

applications using Kubernetes on AWS. Amazon EKS runs the Kubernetes management infrastructure for
the customer across multiple AWS AZs to eliminate a single point of failure. Amazon EKS is certified
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

52
 Section III – Description of the Amazon Web Services System

Gw
Kubernetes conformant so the customers can use existing tooling and plugins from partners and the
Kubernetes community. Applications running on any standard Kubernetes environment are fully

A7
compatible and can be easily migrated to Amazon EKS.

Amazon Elastic File System (EFS)

Amazon Elastic File System (EFS) provides file storage for Amazon EC2 instances. EFS presents a network

7
attached file system interface via the NFS v4 protocol. EFS file systems grow and shrink elastically as data

g1
is added and deleted by users. Amazon EFS spreads data across multiple AZs; in the event that an AZ is
not reachable, the structure allows customers to still access their full set of data.

Rw
The customer is responsible for choosing which of their Virtual Private Clouds (VPCs) they want a file
system to be accessed from by creating resources called mount targets. One mount target exists for each
AZ, which exposes an IP address and DNS name for mounting the customer’s file system onto their EC2
instances. Customers then log into their EC2 instance and issue a ‘mount’ command, pointing at their

ab
mount target’ IP address or DNS name. A mount target is assigned one or more VPC security groups to
which it belongs. The VPC security groups define rules for what VPC traffic can reach the mount targets
and in turn can reach the file system.

gv
Elastic Load Balancing (ELB)
Elastic Load Balancing (ELB) provides customers with a load balancer that automatically distributes
e9
incoming application traffic across multiple Amazon EC2 instances in the cloud. It allows customers to
achieve greater levels of fault tolerance for their applications, seamlessly providing the required amount
of load balancing capacity needed to distribute application traffic.
m

Amazon ElastiCache
kc

Amazon ElastiCache automates management tasks for in-memory cache environments, such as patch
management, failure detection, and recovery. It works in conjunction with other AWS services to provide
a managed in-memory cache. For example, an application running in Amazon EC2 can securely access an
I6

Amazon ElastiCache Cluster in the same region with very slight latency.
EK

Using the Amazon ElastiCache service, customers create a Cache Cluster, which is a collection of one or
more Cache Nodes, each running an instance of the Memcached, Redis Engine, or DAX Engine. A Cache
Node is a self-contained environment which provides a fixed-size chunk of secure, network-attached RAM.
zz

Each Cache Node runs an instance of the Memcached, Redis Engine, or DAX Engine, and has its own DNS
name and port. Multiple types of Cache Nodes are supported, each with varying amounts of associated
memory.
n-

AWS Elemental MediaConnect

ke

AWS Elemental MediaConnect is a high-quality transport service for live video. MediaConnect enables
customers to build mission-critical live video workflows in a fraction of the time and cost of satellite or
fiber services. Customers can use MediaConnect to ingest live video from a remote event site (like a
-to

stadium), share video with a partner (like a cable TV distributor), or replicate a video stream for processing
(like an over-the-top service). MediaConnect combines reliable video transport, highly secure stream
sharing, and real-time network traffic and video monitoring that allow customers to focus on their
m

content, not their transport infrastructure.

r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

53
 Section III – Description of the Amazon Web Services System

Gw
AWS Elemental MediaConvert
AWS Elemental MediaConvert is a file-based video transcoding service with broadcast-grade features. It

A7
allows customers to create video-on-demand (VOD) content for broadcast and multiscreen delivery at
scale. The service combines advanced video and audio capabilities with a simple web services interface.
With AWS Elemental MediaConvert, customers can focus on delivering media experiences without having
to worry about the complexity of building and operating video processing infrastructure.

7
g1
AWS Elemental MediaLive
AWS Elemental MediaLive is a live video processing service. Customers can create high-quality video
streams for delivery to broadcast televisions and internet-connected multiscreen devices, like connected

Rw
TVs, tablets, smart phones, and set-top boxes. The service works by encoding live video streams in real-
time, taking a larger-sized live video source and compressing it into smaller versions for distribution to
viewers. AWS Elemental MediaLive enables customers to focus on creating live video experiences for
viewers without the complexity of building and operating video processing infrastructure.

ab
AWS Entity Resolution (Effective February 15, 2024)
AWS Entity Resolution is a service that helps customers match, link, and enhance their related records

gv
stored across multiple applications, channels, and data stores. AWS Entity Resolution offers matching
techniques, such as rule-based, machine learning (ML) model-powered, and data service provider
matching to help them more accurately link related sets of customer information, product codes, or
e9
business data codes.

Amazon Elastic MapReduce (EMR)

m

Amazon Elastic MapReduce (EMR) is a web service that provides managed Hadoop clusters on Amazon
EC2 instances running a Linux operating system. Amazon EMR uses Hadoop processing combined with
kc

several AWS products to do such tasks as web indexing, data mining, log file analysis, machine learning,
scientific simulation, and data warehousing. Amazon EMR actively manages clusters for customers,
replacing failed nodes and adjusting capacity as requested. Amazon EMR securely and reliably handles a
I6

broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine
learning, financial analysis, scientific simulation, and bioinformatics.
EK

Amazon EventBridge
Amazon EventBridge delivers a near real-time stream of events that describe changes in AWS resources.
zz

Customers can configure routing rules to determine where to send collected data to build application
architectures that react in real time to the data sources. Amazon EventBridge becomes aware of
operational changes as they occur and responds to these changes by taking corrective action as necessary
n-

by sending message to respond to the environment, activating functions, making changes and capturing
state information.
ke

AWS Fault Injection Service (Effective August 15, 2023)

AWS Fault Injection Service is a fully managed service for running fault injection experiments to improve
-to

an application’s performance, observability, and resiliency. FIS simplifies the process of setting up and
running controlled fault injection experiments across a range of AWS services, so teams can build
confidence in their application behavior.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

54
 Section III – Description of the Amazon Web Services System

Gw
Amazon FinSpace
Amazon FinSpace is a data management and analytics service that makes it easy to store, catalog, and

A7
prepare financial industry data at scale. Amazon FinSpace reduces the time it takes for financial services
industry (FSI) customers to find and access all types of financial data for analysis.

AWS Firewall Manager

7
AWS Firewall Manager is a security management service that makes it easier to centrally configure and

g1
manage AWS WAF rules across customer accounts and applications. Using Firewall Manager, customers
can roll out AWS WAF rules for their Application Load Balancers and Amazon CloudFront distributions
across accounts in AWS Organizations. As new applications are created, Firewall Manager also allows

Rw
customers to bring new applications and resources into compliance with a common set of security rules
from day one.

Amazon Forecast

ab
Amazon Forecast uses machine learning to combine time series data with additional variables to build
forecasts. With Amazon Forecast, customers can import time series data and associated data into Amazon
Forecast from their Amazon S3 database. From there, Amazon Forecast automatically loads the data,

gv
inspects it, and identifies the key attributes needed for forecasting. Amazon Forecast then trains and
optimizes a customer’s custom model and hosts them in a highly available environment where it can be
used to generate business forecasts.
e9
Amazon Forecast is protected by encryption. Any content processed by Amazon Forecast is encrypted
with customer keys through Amazon Key Management Service and encrypted at rest in the AWS Region
m

where a customer is using the service. Administrators can also control access to Amazon Forecast through
an AWS Identity and Access Management (IAM) permissions policy – ensuring that sensitive information
kc

is kept secure and confidential.

Amazon Fraud Detector

I6

Amazon Fraud Detector helps detect suspicious online activities such as the creation of fake accounts and
online payment fraud. Amazon Fraud Detector uses machine learning (ML) and 20 years of fraud detection
EK

expertise from AWS and Amazon.com to automatically identify fraudulent activity to catch more fraud,
faster. With Amazon Fraud Detector, customers can create a fraud detection ML model with just a few
clicks and use it to evaluate online activities in milliseconds.
zz

FreeRTOS
FreeRTOS is an operating system for microcontrollers that makes small, low-power edge devices easy to
n-

program, deploy, secure, connect, and manage. FreeRTOS extends the FreeRTOS kernel, a popular open
source operating system for microcontrollers, with software libraries that make it easy to securely connect
ke

the small, low-power devices to AWS cloud services like AWS IoT Core or to more powerful edge devices
running AWS IoT Greengrass.
-to

Amazon FSx
Amazon FSx provides third-party file systems. Amazon FSx provides the customers with the native
compatibility of third-party file systems with feature sets for workloads such as Windows-based storage,
m

high-performance computing (HPC), machine learning, and electronic design automation (EDA). The
customers don’t have to worry about managing file servers and storage, as Amazon FSx automates the
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

55
 Section III – Description of the Amazon Web Services System

Gw
time-consuming administration tasks such as hardware provisioning, software configuration, patching,
and backups. Amazon FSx integrates the file systems with cloud-native AWS services, making them even

A7
more useful for a broader set of workloads.

Amazon S3 Glacier
Amazon S3 Glacier is an archival storage solution for data that is infrequently accessed for which retrieval

7
times of several hours are suitable. Data in Amazon S3 Glacier is stored as an archive. Archives in Amazon

g1
S3 Glacier can be created or deleted, but archives cannot be modified. Amazon S3 Glacier archives are
organized in vaults. All vaults created have a default permission policy that only permits access by the
account creator or users that have been explicitly granted permission. Amazon S3 Glacier enables

Rw
customers to set access policies on their vaults for users within their AWS Account. User policies can
express access criteria for Amazon S3 Glacier on a per vault basis. Customers can enforce Write Once Read
Many (WORM) semantics for users through user policies that forbid archive deletion.

ab
AWS Global Accelerator
AWS Global Accelerator is a networking service that improves the availability and performance of the
applications that customers offer to their global users. AWS Global Accelerator also makes it easier to

gv
manage customers’ global applications by providing static IP addresses that act as a fixed entry point to
customer applications hosted on AWS which eliminates the complexity of managing specific IP addresses
for different AWS Regions and AZs.
e9
AWS Glue
AWS Glue is an extract, transform, and load (ETL) service that makes it easy for customers to prepare and
m

load their data for analytics. The customers can create and run an ETL job with a few clicks in the AWS
Management Console.
kc

AWS Glue DataBrew

AWS Glue DataBrew is a visual data preparation tool that makes it easy for data analysts and data
I6

scientists to clean and normalize data to prepare it for analytics and machine learning. Customers can
choose from pre-built transformations to automate data preparation tasks, all without the need to write
EK

any code.

Amazon GuardDuty
zz

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and
unauthorized behavior to protect the customers’ AWS accounts and workloads. With the cloud, the
collection and aggregation of account and network activities is simplified, but it can be time consuming
n-

for security teams to continuously analyze event log data for potential threats. With GuardDuty, the
customers now have an intelligent and cost-effective option for continuous threat detection in the AWS
ke

Cloud.

AWS HealthImaging (Effective August 15, 2023)

-to

AWS HealthImaging is a service that helps healthcare and life science organizations and their software
partners to store, analyze, and share medical imaging data at petabyte scale. With HealthImaging,
customers can reduce the total cost of ownership (TCO) of their medical imaging applications up to 40%
m

by running their medical imaging applications from a single copy of patient imaging data in the cloud. With
sub-second image retrieval latencies for active and archive data, customers can realize the cost savings of
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

56
 Section III – Description of the Amazon Web Services System

Gw
the cloud without sacrificing performance at the point-of-care. HealthImaging removes the burden of
managing infrastructure for customer imaging workflows so that they can focus on delivering quality

A7
patient care.

AWS HealthLake
AWS HealthLake is a service offering healthcare and life sciences companies a complete view of individual

7
or patient population health data for query and analytics at scale. Using the HealthLake APIs, health

g1
organizations can easily copy health data, such as imaging medical reports or patient notes, from on-
premises systems to a secure data lake in the cloud. HealthLake uses machine learning (ML) models to
automatically understand and extract meaningful medical information from the raw data, such as

Rw
medications, procedures, and diagnoses. HealthLake organizes and indexes information and stores it in
the Fast Healthcare Interoperability Resources (FHIR) industry standard format to provide a complete view
of each patient's medical history.

ab
AWS HealthOmics (Effective August 15, 2023)
AWS HealthOmics helps Healthcare and Life Sciences organizations process, store, and analyze genomics
and other omics data at scale. The service supports a wide range of use cases, including DNA and RNA

gv
sequencing (genomics and transcriptomics), protein structure prediction (proteomics), and more. By
simplifying infrastructure management for customers and removing the undifferentiated heavy lifting,
HealthOmics allows customers to generate deeper insights from their omics data, improve healthcare
e9
outcomes, and advance scientific discoveries.

HealthOmics is comprised of three service components. Omics Storage efficiently ingests raw genomic
m

data into the Cloud, and it uses domain-specific compression to offer attractive storage prices to
customers. It also offers customers the ability to seamlessly access their data from various compute
kc

environments. Omics Workflows runs bioinformatics workflows at scale in a fully-managed compute

environment. It supports three common bioinformatics domain-specific workflow languages. Omics
Analytics stores genomic variant and annotation data and allows customers to efficiently query and
I6

analyze at scale.
EK

AWS Identity and Access Management (IAM)

AWS Identity and Access Management is a web service that helps customers securely control access to
AWS resources for their users. Customers use IAM to control who can use their AWS resources
zz

(authentication) and what resources they can use and in what ways (authorization). Customers can grant
other people permission to administer and use resources in their AWS account without having to share
their password or access key. Customers can grant different permissions to different people for different
n-

resources. Customers can use IAM features to. securely give applications that run on EC2 instances the
credentials that they need in order to access other AWS resources, like S3 buckets and RDS or DynamoDB
ke

databases.

Amazon Inspector (Effective August 15, 2023)

-to

Amazon Inspector is an automated vulnerability management service that continually scans AWS
workloads for software vulnerabilities and unintended network exposure. Amazon Inspector removes the
operational overhead associated with deploying and configuring a vulnerability management solution by
m

allowing customers to deploy Amazon Inspector across all accounts with a single step.
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

57
 Section III – Description of the Amazon Web Services System

Gw
Amazon Inspector Classic
Amazon Inspector Classic is an automated security assessment service for customers seeking to improve

A7
the security and compliance of applications deployed on AWS. Amazon Inspector Classic automatically
assesses applications for vulnerabilities or deviations from leading practices. After performing an
assessment, Amazon Inspector Classic produces a detailed list of security findings prioritized by level of
severity.

7
g1
AWS IoT Core
AWS IoT Core is a managed cloud service that lets connected devices easily and securely interact with
cloud applications and other devices. AWS IoT Core provides secure communication and data processing

Rw
across different kinds of connected devices and locations so that customers can easily build IoT
applications such as industrial solutions and connected home solutions.

AWS IoT Device Defender (Effective August 15, 2023)

ab
AWS IoT Device Defender is a security service that allows customers to audit the configuration of their
devices, monitor connected devices to detect abnormal behavior, and mitigate security risks. It gives
customers the ability to enforce consistent security policies across their AWS IoT device fleet and respond

gv
quickly when devices are compromised. AWS IoT Device Defender provides tools to identify security issues
and deviations from best practices. AWS IoT Device Defender can audit device fleets to ensure they adhere
to security best practices and detect abnormal behavior on devices.
e9
AWS IoT Device Management
AWS IoT Device Management provides customers with the ability to securely onboard, organize, and
m

remotely manage IoT devices at scale. With AWS IoT Device Management, customers can register their
connected devices individually or in bulk and manage permissions so that devices remain secure.
kc

Customers can also organize their devices, monitor and troubleshoot device functionality, query the state
of any IoT device in the fleet, and send firmware updates over-the-air (OTA). AWS IoT Device Management
I6

is agnostic to device type and OS, so customers can manage devices from constrained microcontrollers to
connected cars all with the same service. AWS IoT Device Management allows customers to scale their
EK

fleets and reduce the cost and effort of managing large and diverse IoT device deployments.

AWS IoT TwinMaker (Effective August 15, 2023)

zz

AWS IoT TwinMaker makes it easier for developers to create digital twins of real-world systems such as
buildings, factories, industrial equipment, and production lines. AWS IoT TwinMaker provides the tools
customers need to build digital twins to help them optimize building operations, increase production
n-

output, and improve equipment performance. With the ability to use existing data from multiple sources,
create virtual representations of any physical environment, and combine existing 3D models with real-
ke

world data, customers can now harness digital twins to create a holistic view of their operations faster
and with less effort.
-to

AWS IoT Events

AWS IoT Events is a service that detects events across thousands of IoT sensors sending different
telemetry data, such as temperature from a freezer, humidity from respiratory equipment, and belt speed
m

on a motor. Customers can select the relevant data sources to ingest, define the logic for each event using
simple ‘if-then-else’ statements, and select the alert or custom action to trigger when an event occurs.
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

58
 Section III – Description of the Amazon Web Services System

Gw
IoT Events continuously monitors data from multiple IoT sensors and applications, and it integrates with
other services, such as AWS IoT Core, to enable early detection and unique insights into events. IoT Events

A7
automatically triggers alerts and actions in response to events based on the logic defined to resolve issues
quickly, reduce maintenance costs, and increase operational efficiency.

AWS IoT Greengrass

7
AWS IoT Greengrass seamlessly extends AWS to edge devices so they can act locally on the data they

g1
generate, while still using the cloud for management, analytics, and durable storage. With AWS IoT
Greengrass, connected devices can run AWS Lambda functions, execute predictions based on machine
learning models, keep device data in sync, and communicate with other devices securely – even when not

Rw
connected to the Internet.

AWS IoT SiteWise

AWS IoT SiteWise is a service that enables industrial enterprises to collect, store, organize, and visualize

ab
thousands of sensor data streams across multiple industrial facilities. AWS IoT SiteWise includes software
that runs on a gateway device that sits onsite in a facility, continuously collects the data from a historian
or a specialized industrial server, and sends it to the AWS Cloud. With the service, customers can skip

gv
months of developing undifferentiated data collection and cataloging solutions, and focus on using their
data to detect and fix equipment issues, spot inefficiencies, and improve production output.
e9
Amazon Kendra
Amazon Kendra is an intelligent search service powered by machine learning. Kendra reimagines
enterprise search for customer websites and applications so employees and customers can easily find
m

content, even when it's scattered across multiple locations and content repositories.
kc

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) allows users to create and manage cryptographic keys. One class of
keys, KMS keys, are designed to never be exposed in plaintext outside the service. KMS keys can be used
I6

to encrypt data directly submitted to the service. KMS keys can also be used to protect other types of
keys, Data Keys, which are created by the service and returned to the user’s application for local use.
EK

AWS KMS only creates and returns data keys to users; the service does not store or manage data keys.

AWS KMS is integrated with several AWS services so that users can request that resources in those
zz

services are encrypted with unique data keys provisioned by KMS that are protected by a KMS key the
user chooses at the time the resource is created (Control AWSCA-4.6). See in-scope services integrated
with KMS at https://aws.amazon.com/kms/. Integrated services use the data keys from AWS KMS. Data
n-

keys provisioned by AWS KMS are encrypted with a 256-bit key unique to the customer’s account under
a defined mode of AES – Advanced Encryption Standard (Control AWSCA-4.7).
ke

When a customer requests AWS KMS to create a KMS key, the service creates a key ID for the KMS key
and key material, referred to as a backing key, which is tied to the key ID of the KMS key. The 256-bit
-to

backing key can only be used for encrypt or decrypt operations by the service (Control AWSCA-4.10). KMS
will generate an associated key ID if a customer chooses to import their own key. If the customer chooses
to enable key rotation for a KMS key with a backing key that the service generated, AWS KMS will create
m

a new version of the backing key for each rotation event, but the key ID remains the same (Control
AWSCA-4.11). All future encrypt operations under the key ID will use the newest backing key, while all
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

59
 Section III – Description of the Amazon Web Services System

Gw
previous versions of backing keys are retained to decrypt ciphertexts created under the previous version
of the key. Backing keys and customer-imported keys are encrypted under AWS-controlled keys when

A7
created/imported and they are only ever stored on disk in encrypted form.

All requests to AWS KMS APIs are logged and available in the AWS CloudTrail of the requester and the
owner of the key. The logged requests provide information about who made the request, under which

7
KMS key, and describes information about the AWS resource that was protected through the use of the

g1
KMS key. These log events are visible to the customer after turning on AWS CloudTrail in their account
(Control AWSCA-4.8).

Rw
AWS KMS creates and manages multiple distributed replicas of KMS keys and key metadata automatically
to enable high availability and data durability. KMS keys themselves are regional objects; KMS keys can
only be used in the AWS region in which they were created. KMS keys are only stored on persistent disk
in encrypted form and in two separate storage systems to ensure durability. When a KMS key is needed

ab
to fulfill an authorized customer request, it is retrieved from storage, decrypted on one of many AWS KMS
hardened security modules (HSM) in the region, then used only in memory to execute the cryptographic
operation (e.g., encrypt or decrypt). Future requests to use the KMS key each require the decryption of

gv
the KMS key in memory for another one-time use.

AWS KMS endpoints are only accessible via TLS using the following cipher suites that support forward
e9
secrecy (Control AWSCA-4.9):

• AES_256_GCM_SHA384
m

• AES_128_GCM_SHA256
kc

• CHACHA20_POLY1305_SHA256
• ECDHE_RSA_WITH_AES_256_GCM_SHA384
I6

• ECDHE_RSA_WITH_AES_128_GCM_SHA256
• ECDHE_RSA_WITH_AES_256_CBC_SHA384
EK

• ECDHE_RSA_WITH_AES_256_CBC_SHA
• ECDHE_RSA_WITH_AES_128_CBC_SHA256
zz

• ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• DHE_RSA_WITH_AES_256_CBC_SHA256
n-

• DHE_RSA_WITH_AES_128_CBC_SHA256
ke

• DHE_RSA_WITH_AES_256_CBC_SHA
• DHE_RSA_WITH_AES_128_CBC_SHA
-to

By design, no one can gain access to KMS key material. KMS keys are only ever present on hardened
security modules for the amount of time needed to perform cryptographic operations under them. AWS
m

employees have no tools to retrieve KMS keys from these hardened security modules. In addition, multi-
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

60
 Section III – Description of the Amazon Web Services System

Gw
party access controls are enforced for operations on these hardened security modules that involve
changing the software configuration or introducing new hardened security modules into the service.

A7
These multi-party access controls minimize the possibility of an unauthorized change to the hardened
security modules, exposing key material outside the service, or allowing unauthorized use of customer
keys (Control AWSCA-4.5). Additionally, key material used for disaster recovery processes by KMS are
physically secured such that no AWS employee can gain access (Control AWSCA-4.12). Access attempts

7
to recovery key materials are reviewed by authorized operators on a periodic basis (Control AWSCA-4.13).

g1
Roles and responsibilities for those cryptographic custodians with access to systems that store or use key
material are formally documented and acknowledged (Control AWSCA-1.6).

Rw
Amazon Keyspaces (for Apache Cassandra)
Amazon Keyspaces (for Apache Cassandra) is a scalable, highly available Apache Cassandra–compatible
database service. With Amazon Keyspaces, customers can run Cassandra workloads on AWS using the
same Cassandra application code and developer tools that customers use today. Amazon Keyspaces is

ab
serverless and gives customers the performance, elasticity, and enterprise features customers need to
operate business-critical Cassandra workloads at scale.

gv
Amazon Managed Service for Apache Flink
Amazon Managed Service for Apache Flink is an easy way for customers to analyze streaming data, gain
actionable insights, and respond to business and customer needs in real time. Amazon Managed Service
e9
for Apache Flink reduces the complexity of building, managing, and integrating streaming applications
with other AWS services. SQL users can easily query streaming data or build entire streaming applications
using templates and an interactive SQL editor. Java developers can quickly build sophisticated streaming
m

applications using open source Java libraries and AWS integrations to transform and analyze data in real-
time.
kc

Amazon Data Firehose

Amazon Data Firehose is a reliable way to load streaming data into data stores and analytics tools. It can
I6

capture, transform, and load streaming data into Amazon S3, Amazon Redshift, and Amazon OpenSearch
Service enabling near real-time analytics with existing business intelligence tools and dashboards
EK

customers are already using today. The service automatically scales to match the throughput of the
customers’ data and requires no ongoing administration. It can also batch, compress, transform, and
encrypt the data before loading it, minimizing the amount of storage used at the destination and
zz

increasing security.

Amazon Kinesis Data Streams

n-

Amazon Kinesis Data Streams is a massively scalable and durable real-time data streaming service. Kinesis
Data Streams can continuously capture gigabytes of data per second from hundreds of thousands of
ke

sources such as website clickstreams, database event streams, financial transactions, social media feeds,
IT logs and location-tracking events. The collected data is available in milliseconds to enable real-time
analytics use cases such as real-time dashboards, real-time anomaly detection, dynamic pricing and more.
-to

Amazon Kinesis Video Streams

Amazon Kinesis Video Streams makes it easy to securely stream video from connected devices to AWS for
m

analytics, machine learning (ML), playback, and other processing. Kinesis Video Streams automatically
provisions and elastically scales the infrastructure needed to ingest streaming video data from millions of
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

61
 Section III – Description of the Amazon Web Services System

Gw
devices. It also durably stores, encrypts, and indexes video data in the streams, and allows the customers
to access their data through easy-to-use APIs. Kinesis Video Streams enables the customers to playback

A7
video for live and on-demand viewing, and quickly build applications that take advantage of computer
vision and video analytics.

Amazon Location Service

7
Amazon Location Service makes it easy for developers to add location functionality to applications without

g1
compromising data security and user privacy. With Amazon Location Service, customers can build
applications that provide maps and points of interest, convert street addresses into geographic
coordinates, calculate routes, track resources, and trigger actions based on location. Amazon Location

Rw
Service uses high-quality geospatial data to provide maps, places, routes, tracking, and geofencing.

AWS Lake Formation

ab
AWS Lake Formation is an integrated data lake service that makes it easy for customers to ingest, clean,
catalog, transform, and secure their data and make it available for analysis and ML. AWS Lake Formation
gives customers a central console where they can discover data sources, set up transformation jobs to

gv
move data to an Amazon Simple Storage Service (S3) data lake, remove duplicates and match records,
catalog data for access by analytic tools, configure data access and security policies, and audit and control
access from AWS analytic and ML services. Lake Formation automatically manages access to the registered
e9
data in Amazon S3 through services including AWS Glue, Amazon Athena, Amazon Redshift, Amazon
QuickSight, and Amazon EMR to ensure compliance with customer defined policies. With AWS Lake
Formation, customers can configure and manage their data lake without manually integrating multiple
m
underlying AWS services.

AWS Lambda
kc

AWS Lambda lets customers run code without provisioning or managing servers on their own. AWS
Lambda uses a compute fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances across multiple
I6

AZs in a region, which provides the high availability, security, performance, and scalability of the AWS
infrastructure.
EK

Amazon Lex
Amazon Lex is a service for building conversational interfaces into any application using voice and text.
Amazon Lex provides the advanced deep learning functionalities of automatic speech recognition (ASR)
zz

for converting speech to text, and natural language understanding (NLU) to recognize the intent of the
text, to enable customers to build applications with highly engaging user experiences and lifelike
conversational interactions. Amazon Lex scales automatically, so customers do not need to worry about
n-

managing infrastructure.
ke

AWS License Manager

AWS License Manager makes it easier to manage licenses in AWS and on-premises servers from software
vendors. AWS License Manager allows customer’s administrators to create customized licensing rules that
-to

emulate the terms of their licensing agreements, and then enforces these rules when an instance of EC2
gets launched. Customer administrators can use these rules to limit licensing violations, such as using
more licenses than an agreement stipulates or reassigning licenses to different servers on a short-term
m

basis. The rules in AWS License Manager also enable customers to limit a licensing breach by stopping the
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

62
 Section III – Description of the Amazon Web Services System

Gw
instance from launching or by notifying the customer administrators about the infringement. Customer
administrators gain control and visibility of all their licenses with the AWS License Manager dashboard

A7
and reduce the risk of non-compliance, misreporting, and additional costs due to licensing overages.

AWS License Manager integrates with AWS services to simplify the management of licenses across
multiple AWS accounts, IT catalogs, and on-premises, through a single AWS account.

7
g1
Amazon Macie
Amazon Macie is a data security and data privacy service that uses machine learning and pattern matching
to help customers discover, monitor, and protect their sensitive data in AWS.

Rw
Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and
financial data, to provide customers with a better understanding of the data that organization stores in
Amazon Simple Storage Service (Amazon S3). Macie also provides customers with an inventory of the S3

ab
buckets, and it automatically evaluates and monitors those buckets for security and access control. Within
minutes, Macie can identify and report overly permissive or unencrypted buckets for the organization.

gv
If Macie detects sensitive data or potential issues with the security or privacy of customer content, it
creates detailed findings for customers to review and remediate as necessary. Customers can review and
analyze these findings directly in Macie, or monitor and process them by using other services, applications,
e9
and systems.

AWS Mainframe Modernization (Effective February 15, 2024)

m

AWS Mainframe Modernization is an elastic mainframe service and set of development tools for migrating
and modernizing mainframe and legacy workloads. Using Mainframe Modernization, system integrators
kc

can help discover their mainframe and legacy workloads, assess and analyze migration readiness, and plan
migration and modernization projects. Once planning is complete, customers can use the Mainframe
Modernization built-in development tools to replatform or refactor their mainframe and legacy
I6

workloads, test workload performance and functionality, and migrate their data to AWS.
EK

Amazon Managed Grafana

Amazon Managed Grafana is a service for open source Grafana, providing interactive data visualization
for monitoring and operational data. Using Amazon Managed Grafana, customers can visualize, analyze,
zz

and alarm on their metrics, logs, and traces collected from multiple data sources in their observability
system, including AWS, third-party ISVs, and other resources across their IT portfolio. Amazon Managed
Grafana offloads the operational management of Grafana by automatically scaling compute and database
n-

infrastructure as usage demands increase, with automated version updates and security
patching. Amazon Managed Grafana natively integrates with AWS services so customers can securely add,
ke

query, visualize, and analyze their AWS data across multiple accounts and regions with a few clicks in the
AWS Console. Amazon Managed Grafana integrates with AWS IAM Identity Center and supports Security
Assertion Markup Language (SAML) 2.0, so customers can set up user access to specific dashboards and
-to

data sources for only certain users in their corporate directory.

AWS Managed Services

m

AWS Managed Services provides ongoing management of a customer’s AWS infrastructure. AWS
Managed Services automates common activities such as change requests, monitoring, patch
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

63
 Section III – Description of the Amazon Web Services System

Gw
management, security, and backup services, and provides full-lifecycle services to provision, run, and
support a customer’s infrastructure.

A7
Amazon Managed Service for Prometheus
Amazon Managed Service for Prometheus is a Prometheus-compatible monitoring and alerting service
that facilitates monitoring of containerized applications and infrastructure at scale. The Cloud Native

7
Computing Foundation’s Prometheus project is an open source monitoring and alerting solution

g1
optimized for container environments. With Amazon Managed Service for Prometheus, customers can
use the open source Prometheus query language (PromQL) to monitor and alert on the performance of
containerized workloads, without having to scale and operate the underlying infrastructure. Amazon

Rw
Managed Service for Prometheus automatically scales the ingestion, storage, alerting, and querying of
operational metrics as workloads grow or shrink, and it is integrated with AWS security services to enable
fast and secure access to data.

ab
Amazon Managed Workflows for Apache Airflow (Amazon MWAA)
Amazon Managed Workflows for Apache Airflow is a service for Apache Airflow that lets customers use
their current, familiar Apache Airflow platform to orchestrate their workflows. Customers gain improved

gv
scalability, availability, and security without the operational burden of managing underlying
infrastructure. Amazon Managed Workflows for Apache Airflow orchestrates customer’s workflows using
Directed Acyclic Graphs (DAGs) written in Python. Customers provide Amazon Managed Workflows for
e9
Apache Airflow an Amazon Simple Storage Service (S3) bucket where customer’s DAGs, plugins, and
Python requirements reside. Then customers can run and monitor their DAGs from the AWS Management
Console, a command line interface (CLI), a software development kit (SDK), or the Apache Airflow user
m

interface (UI).
kc

Amazon Managed Streaming for Apache Kafka

Amazon Managed Streaming for Apache Kafka is a service that makes it easy for customers to build and
run applications that use Apache Kafka to process streaming data. Apache Kafka is an open-source
I6

platform for building real-time streaming data pipelines and applications. With Amazon MSK, customers
can use Apache Kafka APIs to populate data lakes, stream changes to and from databases, and power
EK

machine learning and analytics applications.

Amazon MemoryDB (formerly known as Amazon MemoryDB for Redis)

zz

Amazon MemoryDB is a Redis-compatible, durable, in-memory database service. It is purpose-built for

modern applications with microservices architectures.
n-

Amazon MemoryDB is compatible with Redis, an open source data store, enabling customers to quickly
build applications using the same flexible Redis data structures, APIs, and commands that they already
ke

use today. With Amazon MemoryDB, all of the customer’s data is stored in memory, which enables the
customer to achieve microsecond read and single-digit millisecond write latency and high throughput.
Amazon MemoryDB also stores data durably across multiple AZs using a distributed transactional log to
-to

enable fast failover, database recovery, and node restarts. Delivering both in-memory performance and
Multi-AZ durability, Amazon MemoryDB can be used as a high-performance primary database for
microservices applications eliminating the need to separately manage both a cache and durable database.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

64
 Section III – Description of the Amazon Web Services System

Gw
Amazon MQ
Amazon MQ is a managed message broker service for Apache ActiveMQ that sets up and operates

A7
message brokers in the cloud. Message brokers allow different software systems – often using different
programming languages, and on different platforms – to communicate and exchange information.
Messaging is the communications backbone that connects and integrates the components of distributed
applications, such as order processing, inventory management, and order fulfillment for e-commerce.

7
Amazon MQ manages the administration and maintenance of ActiveMQ, a popular open-source message

g1
broker.

Amazon Neptune

Rw
Amazon Neptune is a fast and reliable graph database service that makes it easy to build and run
applications that work with highly connected datasets. The core of Amazon Neptune is a purpose-built,
high-performance graph database engine optimized for storing billions of relationships and querying the
graph with milliseconds latency. Amazon Neptune supports popular graph models, Property Graph, and

ab
W3C's RDF, and their respective query languages Apache, TinkerPop Gremlin, and SPARQL, allowing
customers to easily build queries that efficiently navigate highly connected datasets. Neptune powers
graph use cases such as recommendation engines, fraud detection, knowledge graphs, drug discovery,

gv
and network security.

AWS Health Dashboard

e9
AWS Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that
may impact customers. While the AWS Health Dashboard displays the general status of AWS services,
AWS Health Dashboard gives customers a personalized view into the performance and availability of the
m

AWS services underlying customer’s AWS resources.

kc

The dashboard displays relevant and timely information to help customers manage events in progress and
provides proactive notification to help customers plan for scheduled activities. With AWS Health
Dashboard, alerts are triggered by changes in the health of AWS resources, giving event visibility, and
I6

guidance to help quickly diagnose and resolve issues.

EK

AWS Network Firewall

AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention
service for customer virtual private cloud (VPC). With Network Firewall, customers can filter traffic at the
zz

perimeter of customer VPC. This includes filtering traffic going to and coming from an internet gateway,
NAT gateway, or over VPN or AWS Direct Connect.
n-

Amazon OpenSearch Service

Amazon OpenSearch Service is a service that makes it easy for the customer to deploy, secure, and
ke

operate OpenSearch cost effectively at scale. Amazon OpenSearch Service lets the customers pay only for
what they use – there are no upfront costs or usage requirements. With Amazon OpenSearch Service, the
customers get the ELK stack they need, without the operational overhead.
-to
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

65
 Section III – Description of the Amazon Web Services System

Gw
AWS OpsWorks Stacks
AWS OpsWorks Stacks is an application and server management service. OpsWorks Stacks lets customers

A7
manage applications and servers on AWS and on-premises. With OpsWorks Stacks, customers can model
their application as a stack containing different layers, such as load balancing, database, and application
server. They can deploy and configure Amazon EC2 instances in each layer or connect other resources
such as Amazon RDS databases. OpsWorks Stacks also lets customers set automatic scaling for their

7
servers based on preset schedules or in response to changing traffic levels, and it uses lifecycle hooks to

g1
orchestrate changes as their environment scales.

AWS OpsWorks (includes Chef Automate, Puppet Enterprise)

Rw
AWS OpsWorks for Chef Automate is a configuration management service that hosts Chef Automate, a
suite of automation tools from Chef for configuration management, compliance and security, and
continuous deployment. OpsWorks also maintains customers’ Chef server by automatically patching,
updating, and backing up customer servers. OpsWorks eliminates the need for customers to operate their

ab
own configuration management systems or worry about maintaining its infrastructure. OpsWorks gives
customers access to all of the Chef Automate features, such as configuration and compliance
management, which customers manage through the Chef console or command line tools like Knife. It also

gv
works seamlessly with customers’ existing Chef cookbooks.

AWS OpsWorks for Puppet Enterprise is a configuration management service that hosts Puppet
e9
Enterprise, a set of automation tools from Puppet for infrastructure and application management.
OpsWorks also maintains customers’ Puppet master server by automatically patching, updating, and
backing up customers’ servers. OpsWorks eliminates the need for customers to operate their own
m

configuration management systems or worry about maintaining its infrastructure. OpsWorks gives
customers’ access to all of the Puppet Enterprise features, which customers manage through the Puppet
kc

console. It also works seamlessly with customers’ existing Puppet code.

AWS Organizations
I6

AWS Organizations helps customers centrally govern their environment as customers grow and scale their
workloads on AWS. Whether customers are a growing startup or a large enterprise, Organizations helps
EK

customers to centrally manage billing; control access, compliance, and security; and share resources
across customer AWS accounts.
zz

Using AWS Organizations, customers can automate account creation, create groups of accounts to reflect
their business needs, and apply policies for these groups for governance. Customers can also simplify
billing by setting up a single payment method for all of their AWS accounts. Through integrations with
n-

other AWS services, customers can use Organizations to define central configurations and resource
sharing across accounts in their organization.
ke

AWS Outposts
AWS Outposts is a service that extends AWS infrastructure, AWS services, APIs and tools to any data
-to

center, co-location space, or an on-premises facility for a consistent hybrid experience. AWS Outposts is
ideal for workloads that require low latency access to on-premises systems, local data processing or local
data storage. Outposts offer the same AWS hardware infrastructure, services, APIs and tools to build and
m

run applications on premises and in the cloud. AWS compute, storage, database and other services run
locally on Outposts and customers can access the full range of AWS services available in the Region to
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

66
 Section III – Description of the Amazon Web Services System

Gw
build, manage and scale on-premises applications. Service Link is established between Outposts and the
AWS region by use of a secured VPN connection over the public internet or AWS Direct Connect (Control

A7
AWSCA-3.17).

AWS Outposts are configured with a Nitro Security Key (NSK) which is designed to encrypt customer
content and give customers the ability to mechanically remove content from the device. Customer

7
content is cryptographically shredded if a customer removes the NSK from an Outpost device (Control

g1
AWSCA-7.9).

Additional information about Security in AWS Outposts, including the shared responsibility model, can be

Rw
found in the AWS Outposts User Guide.

AWS Payment Cryptography (Effective February 15, 2024)

AWS Payment Cryptography is a managed service that can be used to replace the payments-specific

ab
cryptography and key management functions that are usually provided by on-premises payment
hardware security modules (HSMs). This elastic, pay-as-you-go AWS API service allows credit, debit, and
payment processing applications to move to the cloud without the need for dedicated payment HSMs.

gv
AWS Private Certificate Authority e9
AWS Private Certificate Authority (CA) is a managed private CA service enables customers to easily and
securely manage the lifecycle of their private certificates. Private CA allows developers to be more agile
by providing them APIs to create and deploy private certificates programmatically. Customers also have
m

the flexibility to create private certificates for applications that require custom certificate lifetimes or
resource names. With Private CA, customers can create and manage private certificates for their
kc

connected resources in one place with a secure, pay as you go, managed private CA service.

Amazon Personalize
I6

Amazon Personalize is a machine learning service that makes it easy for developers to create
individualized recommendations for customers using their applications. Amazon Personalize makes it easy
EK

for developers to build applications capable of delivering a wide array of personalization experiences,
including specific product recommendations, personalized product re-ranking and customized direct
marketing. Amazon Personalize goes beyond rigid static rule- based recommendation systems and trains,
tunes, and deploys custom machine learning models to deliver highly customized recommendations to
zz

customers across industries such as retail, media and entertainment.

n-

Amazon Pinpoint
Amazon Pinpoint helps customers engage with their customers by sending email, SMS, and mobile push
messages. The customers can use Amazon Pinpoint to send targeted messages (such as promotional alerts
ke

and customer retention campaigns), as well as direct messages (such as order confirmations and password
reset messages) to their customers.
-to

Amazon Polly
Amazon Polly is a service that turns text into lifelike speech, allowing customers to create applications
that talk, and build entirely new categories of speech-enabled products. Amazon Polly is a Text-to-
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

67
 Section III – Description of the Amazon Web Services System

Gw
Speech service that uses advanced deep learning technologies to synthesize speech that sounds like a
human voice.

A7
Amazon Quantum Ledger Database (QLDB)
Amazon Quantum Ledger Database (QLDB) is a ledger database that provides a transparent, immutable
and cryptographically verifiable transaction log owned by a central trusted authority. Amazon QLDB can

7
be used to track each and every application data change and maintains a complete and verifiable history

g1
of changes over time.

Amazon QuickSight

Rw
Amazon QuickSight is a fast, cloud-powered business analytics service that makes it easy to build
visualizations, perform ad-hoc analysis, and quickly get business insights from customers’ data. Using this
cloud-based service customers can connect to their data, perform advanced analysis, and create
visualizations and dashboards that can be accessed from any browser or mobile device.

ab
Amazon Redshift
Amazon Redshift is a data warehouse service to analyze data using a customer’s existing Business

gv
Intelligence (BI) tools. Amazon Redshift also includes Redshift Spectrum, allowing customers to directly
run SQL queries against Exabytes of unstructured data in Amazon S3.
e9
Amazon Rekognition
The easy-to-use Rekognition API allows customers to automatically identify objects, people, text, scenes,
and activities, as well as detect any inappropriate content. Developers can quickly build a searchable
m

content library to optimize media workflows, enrich recommendation engines by extracting text in
images, or integrate secondary authentication into existing applications to enhance end-user security.
kc

With a wide variety of use cases, Amazon Rekognition enables the customers to easily add the benefits of
computer vision to the business.
I6

Amazon Relational Database Service (RDS)

Amazon Relational Database Service (RDS) enables customers to set up, operate, and scale a relational
EK

database in the cloud. Amazon RDS manages backups, software patching, automatic failure detection,
and recovery. It provides cost-efficient and resizable capacity while automating time-consuming
administration tasks such as hardware provisioning, database setup, patching and backups.
zz

AWS Resilience Hub (Effective August 15, 2023)

AWS Resilience Hub helps customers improve the resiliency of their applications and reduce application-
n-

related outages by uncovering resiliency weaknesses through continuous resiliency assessment and
validation. AWS Resilience Hub can also provide Standard Operating Procedures (SOPs) to help recover
ke

applications on AWS when experiencing unplanned disruptions caused by software, deployment, or

operational problems. The service is designed for cloud-native applications that use highly available, fault
tolerant AWS services as building blocks.
-to

AWS Resource Access Manager

AWS Resource Access Manager helps customers securely share their resources across AWS accounts,
m

within their organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM
users for supported resource types. Customers are able to use AWS Resource Access Manager to share
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

68
 Section III – Description of the Amazon Web Services System

Gw
transit gateways, subnets, AWS License Manager license configurations, Amazon Route 53 Resolver rules,
and more resource types.

A7
AWS Resource Groups
AWS Resource Groups is a service that helps customers organize AWS resources into logical groupings.
These groups can represent an application, a software component, or an environment. Resource groups

7
can include more than fifty additional resource types, bringing the overall number of supported resource

g1
types to seventy-seven. Some of these new resource types include Amazon DynamoDB tables, AWS
Lambda functions, AWS CloudTrail trails, and many more. Customers can now create resource groups that
accurately reflect their applications, and take action against those groups, rather than against individual

Rw
resources.

AWS RoboMaker
AWS RoboMaker is a service that makes it easy to develop, test, and deploy intelligent robotics

ab
applications at scale. RoboMaker extends the most widely used open-source robotics software
framework, Robot Operating System (ROS), with connectivity to cloud services. This includes AWS
machine learning services, monitoring services, and analytics services that enable a robot to stream data,

gv
navigate, communicate, comprehend, and learn. RoboMaker provides a robotics development
environment for application development, a robotics simulation service to accelerate application testing,
and a robotics fleet management service for remote application deployment, update, and management.
e9
Amazon Route 53
Amazon Route 53 provides managed Domain Name System (DNS) web service. Amazon Route 53 connects
m

user requests to infrastructure running both inside and outside of AWS. Customers can use Amazon Route
53 to configure DNS health checks to route traffic to healthy endpoints or to independently monitor the
kc

health of their application and its endpoints. Amazon Route 53 enables customers to manage traffic
globally through a variety of routing types, including Latency Based Routing, Geo DNS, and Weighted
Round Robin, all of these routing types can be combined with DNS Failover. Amazon Route 53 also offers
I6

Domain Name Registration; customers can purchase and manage domain names such as example.com
and Amazon Route 53 will automatically configure DNS settings for their domains. Amazon Route 53 sends
EK

automated requests over the internet to a resource, such as a web server, to verify that it is reachable,
available, and functional. Customers also can choose to receive notifications when a resource becomes
unavailable and choose to route internet traffic away from unhealthy resources.
zz

Amazon SageMaker (excludes Studio Lab, Public Workforce and Vendor Workforce for all features)
Amazon SageMaker is a platform that enables developers and data scientists to quickly and easily build,
n-

train, and deploy machine learning models at any scale. Amazon SageMaker removes the barriers that
typically “slow down” developers who want to use machine learning.
ke

Amazon SageMaker removes the complexity that holds back developer success with the process of
building, training, and deploying machine learning models at scale. Amazon SageMaker includes modules
-to

that can be used together or independently to build, train, and deploy a customer’s machine learning
models.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

69
 Section III – Description of the Amazon Web Services System

Gw
AWS Secrets Manager
AWS Secrets Manager helps customers protect secrets needed to access their applications, services, and

A7
IT resources. The service enables customers to easily rotate, manage, and retrieve database credentials,
API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call
to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets

7
Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon
DocumentDB. The service is also extensible to other types of secrets, including API keys and OAuth

g1
tokens. In addition, Secrets Manager allows customers to control access to secrets using fine-grained
permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and
on-premises.

Rw
AWS Security Hub
AWS Security Hub gives customers a comprehensive view of their high-priority security alerts and

ab
compliance status across AWS accounts. There are a range of powerful security tools at customers’
disposal, from firewalls and endpoint protection to vulnerability and compliance scanners. With Security
Hub, customers can now have a single place that aggregates, organizes, and prioritizes their security

gv
alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector Classic, and
Amazon Macie, as well as from AWS Partner solutions. Findings are visually summarized on integrated
dashboards with actionable graphs and tables.
e9
AWS Server Migration Service (SMS) (Deprecated April 1, 2024)
AWS Server Migration Service (SMS) is an agentless service which makes it easier and faster for customers
m

to migrate thousands of on-premises workloads to AWS. AWS SMS allows customers to automate,
schedule, and track incremental replications of live server volumes, making it easier for customers to
kc

coordinate large-scale server migrations.

AWS Serverless Application Repository

I6

The AWS Serverless Application Repository is a managed repository for serverless applications. It enables
teams, organizations, and individual developers to store and share reusable applications, and easily
EK

assemble and deploy serverless architectures in powerful new ways. Using the Serverless Application
Repository, customers do not need to clone, build, package, or publish source code to AWS before
deploying it. Instead, customers can use pre-built applications from the Serverless Application Repository
in their serverless architectures, helping customers reduce duplicated work, ensure organizational best
zz

practices, and get to market faster. Integration with AWS Identity and Access Management (IAM) provides
resource-level control of each application, enabling customers to publicly share applications with
n-

everyone or privately share them with specific AWS accounts.

AWS Service Catalog

ke

AWS Service Catalog allows customers to create and manage catalogs of IT services that are approved for
use on AWS. These IT services can include everything from virtual machine images, servers, software, and
-to

databases to complete multi-tier application architectures. AWS Service Catalog allows customers to
centrally manage commonly deployed IT services, and helps customers achieve consistent governance
and meet their compliance requirements, while enabling users to quickly deploy only the approved IT
services they need.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

70
 Section III – Description of the Amazon Web Services System

Gw
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web

A7
applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations
that minimize application downtime and latency, so there is no need to engage AWS Support to benefit
from DDoS protection.

7
Amazon Simple Email Service (SES)

g1
Amazon Simple Email Service (SES) is a cost-effective, flexible and scalable email service that enables
developers to send mail from within any application. Customers can configure Amazon SES to support
several email use cases including transactional, marketing, or mass email communications. Amazon SES'

Rw
flexible IP deployment and email authentication options help drive higher deliverability and protect
sender reputation, while sending analytics to measure impact of each email. With Amazon SES, customers
can send email securely, globally and at scale.

ab
Amazon Simple Notification Service (SNS)
Amazon Simple Notification Service (SNS) is a web service to set up, operate, and send notifications. It
provides developers the capability to publish messages from an application and deliver them to

gv
subscribers or other applications. Amazon SNS follows the “publish-subscribe” (pub-sub) messaging
paradigm, with notifications being delivered to clients using a “push” mechanism. Using SNS requires
defining a "Topic", setting policies on access and delivery of the Topic, subscribing consumers and
e9
designating delivery endpoints, and publishing messages to a Topic. Administrators define a Topic as an
access point for publishing messages and allowing customers to subscribe to notifications. Security
policies are applied to Topics to determine who can publish, who can subscribe, and to designate protocols
m

supported.
kc

Amazon Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a message queuing service that offers a distributed hosted queue
for storing messages as they travel between computers. By using Amazon SQS, developers can move data
I6

between distributed components of their applications that perform different tasks, without losing
messages or requiring each component to be always available. Amazon SQS allows customers to build an
EK

automated workflow, working in close conjunction with Amazon EC2 and the other AWS infrastructure
web services.
zz

Amazon SQS’ main components consist of a frontend request-router fleet, a backend data-storage fleet,
a metadata cache fleet, and a dynamic workload management fleet. User queues are mapped to one or
more backend clusters. Requests to read, write, or delete messages come into the frontends. The
n-

frontends contact the metadata cache to find out which backend cluster hosts that queue and then
connect to nodes in that cluster to service the request.
ke

For authorization, Amazon SQS has its own resource-based permissions system that uses policies written
in the same language used for AWS IAM policies. User permissions for any Amazon SQS resource can be
-to

given either through the Amazon SQS policy system or the AWS IAM policy system, which is authorized
by AWS Identity and Access Management Service. Such policies with a queue are used to specify which
AWS Accounts have access to the queue as well as the type of access and conditions.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

71
 Section III – Description of the Amazon Web Services System

Gw
Amazon Simple Storage Service (S3)
Amazon Simple Storage Service (S3) provides a web services interface that can be used to store and

A7
retrieve data from anywhere on the web. To provide customers with the flexibility to determine how,
when, and to whom they wish to expose the information they store in AWS, Amazon S3 APIs provide both
bucket and object-level access controls, with defaults that only permit authenticated access by the bucket
and/or object creator. Unless a customer grants anonymous access, the first step before a user can access

7
Amazon S3 is to be authenticated with a request signed using the user’s secret access key.

g1
An authenticated user can read an object only if the user has been granted read permissions in an Access
Control List (ACL) at the object level. An authenticated user can list the keys and create or overwrite

Rw
objects in a bucket only if the user has been granted read and write permissions in an ACL at the bucket
level. Bucket and object-level ACLs are independent; an object does not inherit ACLs from its bucket.
Permissions to read or modify the bucket or object ACLs are themselves controlled by ACLs that default
to creator-only access. Therefore, the customer maintains full control over who has access to its data.

ab
Customers can grant access to their Amazon S3 data to other AWS users by AWS Account ID or email, or
DevPay Product ID. Customers can also grant access to their Amazon S3 data to all AWS users or to
everyone (enabling anonymous access).

gv
Network devices supporting Amazon S3 are configured to only allow access to specific ports on other
Amazon S3 server systems (Control AWSCA-3.7). External access to data stored in Amazon S3 is logged
e9
and the logs are retained for at least 90 days, including relevant access request information, such as the
data accessor IP address, object, and operation (Control AWSCA-3.8).
m

Amazon Simple Workflow Service (SWF)

Amazon Simple Workflow Service (SWF) is an orchestration service for building scalable distributed
kc

applications. Often an application consists of several different tasks to be performed in a particular

sequence driven by a set of dynamic conditions. Amazon SWF enables developers to architect and
implement these tasks, run them in the cloud or on-premise and coordinate their flow. Amazon SWF
I6

manages the execution flow such that tasks are load balanced across the workers, inter-task dependencies
are respected, concurrency is handled appropriately, and child workflows are executed.
EK

Amazon SWF enables applications to be built by orchestrating tasks coordinated by a decider process.
Tasks represent logical units of work and are performed by application components that can take any
zz

form, including executable code, scripts, web service calls, and human actions.

Developers implement workers to perform tasks. They run their workers either on cloud infrastructure,
n-

such as Amazon EC2, or off-cloud. Tasks can be long-running, may fail, may timeout and may complete
with varying throughputs and latencies. Amazon SWF stores tasks for workers, assigns them when workers
ke

are ready, tracks their progress, and keeps their latest state, including details on their completion. To
orchestrate tasks, developers write programs that get the latest state of tasks from Amazon SWF and use
it to initiate subsequent tasks in an ongoing manner. Amazon SWF maintains an application’s execution
-to

state durably so that the application can be resilient to failures in individual application components.

Amazon SWF provides auditability by giving customers visibility into the execution of each step in the
m

application. The Management Console and APIs let customers monitor all running executions of the
application. The customer can zoom in on any execution to see the status of each task and its input and
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

72
 Section III – Description of the Amazon Web Services System

Gw
output data. To facilitate troubleshooting and historical analysis, Amazon SWF retains the history of
executions for any number of days that the customer can specify, up to a maximum of 90 days.

A7
The actual processing of tasks happens on compute resources owned by the end customer. Customers
are responsible for securing these compute resources, for example if a customer uses Amazon EC2 for
workers then they can restrict access to their instances in Amazon EC2 to specific AWS IAM users. In

7
addition, customers are responsible for encrypting sensitive data before it is passed to their workflows

g1
and decrypting it in their workers.

Amazon SimpleDB

Rw
Amazon SimpleDB is a non-relational data store that allows customers to store and query data items via
web services requests. Amazon SimpleDB then creates and manages multiple geographically distributed
replicas of data automatically to enable high availability and data durability.

ab
Data in Amazon SimpleDB is stored in domains, which are similar to database tables except that functions
cannot be performed across multiple domains. Amazon SimpleDB APIs provide domain-level controls that
only permit authenticated access by the domain creator.

gv
Data stored in Amazon SimpleDB is redundantly stored in multiple physical locations as part of normal
operation of those services. Amazon SimpleDB provides object durability by protecting data across
e9
multiple AZs on the initial write and then actively doing further replication in the event of device
unavailability or detected bit-rot.
m

AWS IAM Identity Center

AWS IAM Identity Center is a cloud-based service that simplifies managing SSO access to AWS accounts
kc

and business applications. Customers can control SSO access and user permissions across all AWS
accounts in AWS Organizations. Customers can also administer access to popular business applications
and custom applications that support Security Assertion Markup Language (SAML) 2.0. In addition, AWS
I6

IAM Identity Center offers a user portal where users can find all their assigned AWS accounts, business
applications, and custom applications in one place.
EK

AWS Signer
AWS Signer is a managed code-signing service to ensure the trust and integrity of customer code.
zz

Customers validate code against a digital signature to confirm that the code is unaltered and from a
trusted publisher. With AWS Signer, customer security administrators have a single place to define their
signing environment, including what AWS Identity and Access Management (IAM) role can sign code and
n-

in what regions. AWS Signer manages the code-signing certificate public and private keys and enables
central management of the code-signing lifecycle.
ke

AWS Snowball
Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts
-to

of data into and out of the AWS cloud. Using Snowball addresses common challenges with large-scale data
transfers including high network costs, long transfer times, and security concerns. Transferring data with
Snowball is simple and secure.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

73
 Section III – Description of the Amazon Web Services System

Gw
AWS Snowball Edge
AWS Snowball Edge is a 100TB data transfer device with on-board storage and compute capabilities.

A7
Customers can use Snowball Edge to move large amounts of data into and out of AWS, as a temporary
storage tier for large local datasets, or to support local workloads in remote or offline locations. Snowball
Edge connects to customers’ existing applications and infrastructure using standard storage interfaces,
streamlining the data transfer process and minimizing setup and integration. Snowball Edge can cluster

7
together to form a local storage tier and process customers’ data on-premises, helping ensure their

g1
applications continue to run even when they are not able to access the cloud.

AWS Snowmobile (Deprecated April 1, 2024)

Rw
AWS Snowmobile is an Exabyte-scale data transfer service used to move extremely large amounts of data
to AWS. Customers can transfer their Exabyte data via a 45-foot long ruggedized shipping container, pulled
by a semi-trailer truck. Snowmobile makes it easy to move massive volumes of data to the cloud, including
video libraries, image repositories, or even a complete data center migration. After a customer’s data is

ab
loaded, Snowmobile is driven back to AWS where their data is imported into Amazon S3 or Amazon
Glacier.

gv
AWS Step Functions
AWS Step Functions is a web service that enables customers to coordinate the components of distributed
applications and microservices using visual workflows. Customers can build applications from individual
e9
components that each perform a discrete function, or task, allowing them to scale and change applications
quickly. Step Functions provides a reliable way to coordinate components and step through the functions
of a customer’s application. Step Functions provides a graphical console to visualize the components of a
m

customer’s application as a series of steps. It automatically triggers and tracks each step, and retries when
there are errors, so the customer’s application executes in order and as expected, every time. Step
kc

Functions logs the state of each step, so when things do go wrong, customers can diagnose and debug
problems quickly.
I6

AWS Storage Gateway

The AWS Storage Gateway service connects customers’ off-cloud software appliances with cloud-based
EK

storage. The service enables organizations to store data in AWS’ highly durable cloud storage services:
Amazon S3 and Amazon Glacier.
zz

AWS Storage Gateway backs up data off-site to Amazon S3 in the form of Amazon EBS snapshots. AWS
Storage Gateway transfers data to AWS and stores this data in either Amazon S3 or Amazon Glacier,
depending on the use case and type of gateway used. There are three types of gateways: Tape, File, and
n-

Volume Gateways. The Tape Gateway allows customers to store more frequently accessed data in Amazon
S3 and less frequently accessed data in Amazon Glacier.
ke

The File Gateway allows customers to copy data to S3 and have those files appear as individual objects in
S3. Volume gateways store data directly in Amazon S3 and allow customers to snapshot their data so that
-to

they can access previous versions of their data. These snapshots are captured as Amazon EBS Snapshots,
which are also stored in Amazon S3. Both Amazon S3 and Amazon Glacier redundantly store these
snapshots on multiple devices across multiple facilities, detecting and repairing any lost redundancy. The
m

Amazon EBS snapshot provides a point-in-time backup that can be restored off-cloud or on a gateway
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

74
 Section III – Description of the Amazon Web Services System

Gw
running in Amazon EC2, or used to instantiate new Amazon EBS volumes. Data is stored within a single
region that customers specify.

A7
AWS Systems Manager
AWS Systems Manager gives customers the visibility and control to their infrastructure on AWS. AWS
Systems Manager provides customers a unified user interface so that customers can view their

7
operational data from multiple AWS services, and it allows customers to automate operational tasks

g1
across the AWS resources.

With AWS Systems manager, customers can group resources, like Amazon EC2 instances, Amazon S3

Rw
buckets, or Amazon RDS instances, by application, view operational data for monitoring and
troubleshooting, and take action on groups of resources.

Amazon Textract

ab
Amazon Textract automatically extracts text and data from scanned documents. With Textract customers
can quickly automate document workflows, enabling customers to process large volumes of document
pages in a short period of time. Once the information is captured, customers can take action on it within

gv
their business applications to initiate next steps for a loan application or medical claims processing.
Additionally, customers can create search indexes, build automated approval workflows, and better
maintain compliance with document archival rules by flagging data that may require redaction.
e9
Amazon Timestream
Amazon Timestream is a fast, scalable, and serverless time series database service for IoT and operational
m

applications that makes it easy to store and analyze trillions of events per day up to 1,000 times faster
and at as little as 1/10th the cost of relational databases. Amazon Timestream saves customers time and
kc

cost in managing the lifecycle of time series data by keeping recent data in memory and moving historical
data to a cost optimized storage tier based upon user defined policies. Amazon Timestream's purpose-
built query engine lets customers access and analyze recent and historical data together, without needing
I6

to specify explicitly in the query whether the data resides in the in-memory or cost-optimized tier. Amazon
Timestream has built-in time series analytics functions, helping customers identify trends and patterns in
EK

data in real-time.

Amazon Transcribe
Amazon Transcribe makes it easy for customers to add speech-to-text capability to their applications.
zz

Audio data is virtually impossible for computers to search and analyze. Therefore, recorded speech needs
to be converted to text before it can be used in applications.
n-

Amazon Transcribe uses a deep learning process called automatic speech recognition (ASR) to convert
ke

speech to text quickly. Amazon Transcribe can be used to transcribe customer service calls, to automate
closed captioning and subtitling, and to generate metadata for media assets to create a fully searchable
archive.
-to

Amazon Transcribe automatically adds punctuation and formatting so that the output closely matches the
quality of manual transcription at a fraction of the time and expense.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

75
 Section III – Description of the Amazon Web Services System

Gw
AWS Transfer Family
AWS Transfer Family enables the transfer of files directly into and out of Amazon S3. With the support for

A7
Secure File Transfer Protocol (SFTP)—also known as Secure Shell (SSH) File Transfer Protocol, the File
Transfer Protocol over SSL (FTPS) and the File Transfer Protocol (FTP), the AWS Transfer Family helps the
customers seamlessly migrate their file transfer workflows to AWS by integrating with existing
authentication systems and providing DNS routing with Amazon Route 53.

7
g1
Amazon Translate
Amazon Translate is a neural machine translation service that delivers fast, high-quality, and affordable
language translation. Neural machine translation is a form of language translation automation that uses

Rw
deep learning models to deliver more accurate and more natural sounding translation than traditional
statistical and rule- based translation algorithms. Amazon Translate allows customers to localize content
- such as websites and applications - for international users, and to easily translate large volumes of text
efficiently.

ab
AWS User Notifications (Effective August 15, 2023)
AWS User Notifications enables users to centrally configure and view notifications from AWS services,

gv
such as AWS Health events, Amazon CloudWatch alarms, or EC2 Instance state changes, in a consistent,
human-friendly format. Users can view notifications across accounts, regions, and services in a Console
Notifications Center, and configure delivery channels, like email, chat, and push notifications to the AWS
e9
Console mobile app, where they can receive these notifications. Notifications provide URLs to direct users
to resources on the Management Console, to enable further action and remediation.
m

Amazon Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud (VPC) enables customers to provision a logically isolated section of the AWS
kc

cloud where AWS resources can be launched in a virtual network defined by the customer. Customers can
connect their existing infrastructure to the network isolated Amazon EC2 instances within their Amazon
VPC, including extending their existing management capabilities, such as security services, firewalls and
I6

intrusion detection systems, to include their instances via a Virtual Private Network (VPN) connection. The
VPN service provides end-to-end network isolation by using an IP address range of a customer’s choice,
EK

and routing all of their network traffic between their Amazon VPC and another network designated by the
customer via an encrypted Internet Protocol security (IPsec) VPN.
zz

Customers can optionally connect their VPC to the Internet by adding an Internet Gateway (IGW) or a NAT
Gateway. An IGW allows bi-directional access to and from the internet for some instances in the VPC
based on the routes a customer defines, which specify which IP address traffic should be routable from
n-

the internet, Security Groups, and Network ACLs (NACLS) which limit which instances can accept or send
this traffic. Customers can also optionally configure a NAT Gateway which allows egress-only traffic
ke

initiated from a VPC instance to reach the internet, but not allow traffic initiated from the internet to
reach VPC instances. This is accomplished by mapping the private IP addresses to a public address on the
way out, and then map the public IP address to the private address on the return trip.
-to

The objective of this architecture is to isolate AWS resources and data in one Amazon VPC from another
Amazon VPC, and to help prevent data transferred from outside the Amazon network except where the
m

customer has specifically configured internet connectivity options or via an IPsec VPN connection to their
off-cloud network.
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

76
 Section III – Description of the Amazon Web Services System

Gw
Further details are provided below:

A7
• Virtual Private Cloud (VPC): An Amazon VPC is an isolated portion of the AWS cloud within which
customers can deploy Amazon EC2 instances into subnets that segment the VPC’s IP address
range (as designated by the customer) and isolate Amazon EC2 instances in one subnet from

7
another. Amazon EC2 instances within an Amazon VPC are accessible to customers via Internet

g1
Gateway (IGW), Virtual Gateway (VGW), Transit Gateway (TGW) or VPC Peerings established to
the Amazon VPC (Control AWSCA-3.13 and AWSCA-3.15).
• IPsec VPN: An IPsec VPN connection connects a customer’s Amazon VPC to another network

Rw
designated by the customer. IPsec is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a data stream. Amazon VPC
customers can create an IPsec VPN connection to their Amazon VPC by first establishing an

ab
Internet Key Exchange (IKE) security association between their Amazon VPC VPN gateway and
another network gateway using a pre-shared key as the authenticator. Upon establishment, IKE
negotiates an ephemeral key to secure future IKE messages. An IKE security association cannot

gv
be established unless there is complete agreement among the parameters. Next, using the IKE
ephemeral key, two keys in total are established between the VPN gateway and customer
gateway to form an IPsec security association. Traffic between gateways is encrypted and
e9
decrypted using this security association. IKE automatically rotates the ephemeral keys used to
encrypt traffic within the IPsec security association on a regular basis to ensure confidentiality of
communications (Control AWSCA-3.14 and AWSCA-4.3).
m

AWS WAF
kc

AWS WAF is a web application firewall that helps protect customer web applications from common web
exploits that could affect application availability, compromise security, or consume excessive resources.
I6

Customers can use AWS WAF to create custom rules that block common attack patterns, such as SQL
injection or cross-site scripting, and rules that are designed for their specific application. New rules can be
EK

deployed within minutes, letting customers respond quickly to changing traffic patterns. Also, AWS WAF
includes a full-featured API that customers can use to automate the creation, deployment, and
maintenance of web security rules.
zz

AWS Wickr (Effective August 15, 2023)

AWS Wickr is an end-to-end encrypted service that helps organizations collaborate securely through one-
n-

to-one and group messaging, voice and video calling, file sharing, screen sharing, and more. AWS Wickr
encrypts messages, calls, and files with a 256-bit end-to-end encryption protocol. Only the intended
recipients and the customer organization can decrypt these communications, reducing the risk of
ke

adversary-in-the-middle attacks.

Amazon WorkDocs
-to

Amazon WorkDocs is a secure content creation, storage and collaboration service. Users can share files,
provide rich feedback, and access their files on WorkDocs from any device. WorkDocs encrypts data in
transit and at rest, and offers powerful management controls, active directory integration, and near real-
m

time visibility into file and user actions. The WorkDocs SDK allows users to use the same AWS tools they
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

77
 Section III – Description of the Amazon Web Services System

Gw
are already familiar with to integrate WorkDocs with AWS products and services, their existing solutions,
third-party applications, or build their own.

A7
Amazon WorkMail
Amazon WorkMail is a managed business email and calendaring service with support for existing desktop
and mobile email clients. It allows access to email, contacts, and calendars using Microsoft Outlook, a

7
browser, or native iOS and Android email applications. Amazon WorkMail can be integrated with a

g1
customer’s existing corporate directory and the customer controls both the keys that encrypt the data
and the location (AWS Region) under which the data is stored.

Rw
Customers can create an organization in Amazon WorkMail, select the Active Directory they wish to
integrate with, and choose their encryption key to apply to all customer content. After setup and
validation of their mail domain, users from the Active Directory are selected or added, enabled for Amazon
WorkMail, and given an email address identity inside the customer owned mail domain.

ab
Amazon WorkSpaces
Amazon WorkSpaces is a managed desktop computing service in the cloud. Amazon WorkSpaces enables

gv
customers to deliver a high-quality desktop experience to end-users as well as help meet compliance and
security policy requirements. When using Amazon WorkSpaces, an organization’s data is neither sent to
nor stored on end-user devices. The PCoIP protocol used by Amazon WorkSpaces uses an interactive video
e9
stream to provide the desktop experience to the user while the data remains in the AWS cloud or in the
organization’s off-cloud environment.
m

When Amazon WorkSpaces is integrated with a corporate Active Directory, each WorkSpace joins the
Active Directory domain, and can be managed like any other desktop in the organization. This means that
kc

customers can use Active Directory Group Policies to manage their Amazon WorkSpaces and can specify
configuration options that control the desktop, including those that restrict users’ abilities to use local
storage on their devices. Amazon WorkSpaces also integrates with customers’ existing RADIUS server to
I6

enable multi-factor authentication (MFA).

EK

Amazon WorkSpaces Secure Browser (formerly known as Amazon WorkSpaces Web)

Amazon WorkSpaces Secure Browser is an on-demand, managed service designed to facilitate secure
browser access to internal websites and software-as-a-service (SaaS) applications. Customers can access
zz

the service from existing web browsers without infrastructure management, specialized client software,
or virtual private network (VPN) solutions.
n-

AWS X-Ray
AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built
ke

using a microservices architecture. With X-Ray, customers or developers can understand how their
application and its underlying services are performing to identify and troubleshoot the root cause of
performance issues and errors. X-Ray provides an end-to-end view of requests as they travel through the
-to

customers’ application and shows a map of the application’s underlying components. Customers or
developers can use X-Ray to analyze both applications in development and in production.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

78
 Section III – Description of the Amazon Web Services System

Gw
VM Import/Export
VM Import/Export is a service that enables customers to import virtual machine images from their existing

A7
environment to Amazon EC2 instances and export them back to their on premises environment. This
offering allows customers to leverage their existing investments in the virtual machines that customers
have built to meet their IT security, configuration management, and compliance requirements by bringing
those virtual machines into Amazon EC2 as ready-to-use instances. Customers can also export imported

7
instances back to their off-cloud virtualization infrastructure, allowing them to deploy workloads across

g1
their IT infrastructure.

D.5 Secure Data Handling

Rw
AWS provides many methods for customers to securely handle their data (Control Objective 4: Secure
Data Handling). There are additional methods detailed in the Complementary User Entity Controls at the
end of this section. AWS enables customers to open a secure, encrypted channel to AWS servers using

ab
HTTPS (TLS/SSL).

Amazon S3 provides a mechanism that enables users to utilize MD5 checksums to validate that data sent

gv
to AWS is bitwise identical to what is received, and that data sent by Amazon S3 is identical to what is
received by the user. When customers choose to provide their own keys for encryption and decryption of
Amazon S3 objects (S3 SSE-C), Amazon S3 does not store the encryption key provided by the customer.
e9
Amazon S3 generates and stores a one-way salted HMAC of the customer encryption key and that salted
HMAC value is not logged (Control AWSCA-4.4).
m

Upon initial communication with an AWS-provided Windows AMI, AWS enables secure communication
by configuring Terminal Services on the instance and generating a unique self-signed X.509 server
kc

certificate and delivering the certificate’s thumbprint to the user over a trusted channel (Control AWSCA-
4.2).
I6

AWS further enables secure communication with Linux AMIs, by configuring SSH on the instance,
generating a unique host-key and delivering the key’s fingerprint to the user over a trusted channel
EK

(Control AWSCA-4.1).

Connections between customer applications and Amazon RDS MySQL instances can be encrypted using
zz

TLS/SSL. Amazon RDS generates a TLS/SSL certificate for each database instance, which can be used to
establish an encrypted connection using the default MySQL client. Once an encrypted connection is
established, data transferred between the database instance and a customer’s application will be
n-

encrypted during transfer. If customers require data to be encrypted while “at rest” in the database, the
customer application must manage the encryption and decryption of data. Additionally, customers can
ke

set up controls to have their database instances only accept encrypted connections for specific user
accounts.
-to

D.6 Physical Security and Environmental Protection

Amazon has significant experience in designing, constructing, and operating large-scale data centers. This
m

experience has been applied to the AWS system and infrastructure (Control Objective 5: Physical Security
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

79
 Section III – Description of the Amazon Web Services System

Gw
and Environmental Protection). Refer to the “Amazon Web Services System Overview” section above for
list of in-scope data centers.

A7
Physical Security
AWS provides physical access to its data centers for approved employees and contractors who have a
legitimate business need for such privileges. Access to data centers must be approved by an authorized

7
individual (Control AWSCA-5.1). All visitors are required to present identification and are signed in and

g1
escorted by authorized staff.

When an employee or contractor no longer requires these privileges, his or her access is promptly

Rw
revoked, even if he or she continues to be an employee of Amazon or AWS. In addition, access is
automatically revoked when an employee’s record is terminated in Amazon’s HR system (Control AWSCA-
5.2). Cardholder access to data centers is reviewed quarterly. Cardholders marked for removal have their
access automatically revoked as part of the review (Control AWSCA-5.3).

ab
Physical access is controlled both at the perimeter and at building ingress points by professional security
staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff

gv
utilize multi-factor authentication mechanisms to access data center floors (Control AWSCA-5.4, AWSCA-
5.5, and AWSCA-5.6). e9
In addition to the physical security controls, physical access to data centers in the GovCloud (US) region is
restricted to employees or contractors who have been validated as a U.S. person (green card holder or
citizen as defined by the U.S. Department of State).
m

Amazon owns and operates many of its data centers, while others are housed in colocation spaces that
kc

are offered by various reputable companies under contract with Amazon. The physical access and security
controls described above are also deployed by AWS at colocation spaces.
I6

AWS Local Zones are a type of AWS infrastructure deployment managed and supported by AWS that
places AWS compute, storage, database and other select services closer to large population, industry, IT
EK

centers or customers where no AWS Region currently exists today. With AWS Local Zones, customers can
easily run latency-sensitive portions of applications local to end-users and resources in a specific
geography, delivering single-digit millisecond latency for specific use cases. Dedicated Local Zones are
zz

deployed on-premises, delivered in accordance with a customer specific contract, and dedicated to that
customer, that meets AWS established physical security requirements.
n-

AWS offers Wavelength infrastructure in partnership with Telco providers, which is optimized for mobile
edge computing applications. Wavelength Zones are AWS infrastructure deployments that embed AWS
ke

compute and storage services within communications service providers’ (CSP or telecom providers) data
centers at the edge of the 5G network, so application traffic from 5G devices can reach application servers
running in Wavelength Zones without leaving the telecommunications network. This avoids the latency
-to

that would result from application traffic having to traverse multiple hops across the Internet to reach
their destination, enabling customers to take full advantage of the latency and bandwidth benefits offered
by modern 5G networks.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

80
 Section III – Description of the Amazon Web Services System

Gw
Contracts with third-party colocation providers include provisions to support the protection of AWS
assets, communication of incidents or events that impact Amazon assets and/or customers to AWS

A7
(Control AWSCA-5.11). In addition, AWS provides monitoring of adherence with security and operational
standards by performing periodic reviews of colocation service providers (Control AWSCA-5.12). The
frequency of colocation reviews is based on a tiering that is dependent on the contracts and level of
engagement with the colocation service provider.

7
g1
AWS spaces within colocation facilities are installed with AWS-operated closed circuit television (CCTV)
cameras, intrusion detection systems, and access control devices that alert AWS personnel of access and
incidents. Physical access to AWS spaces within colocation facilities is controlled by AWS and follows

Rw
standard AWS access management processes.

Redundancy
Data centers are designed to anticipate and tolerate failure while maintaining service levels. Each AWS

ab
Region is comprised of multiple data centers. All data centers are online and serving traffic; no data center
is “cold.” In case of failure, automated processes move traffic away from the affected area. Core
applications are deployed to an N+1 standard, so that in the event of a data center failure, there is

gv
sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Fire Detection and Suppression

e9
Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection
system utilizes smoke detection sensors in Amazon-owned data center environments (e.g., multi-point
aspirating smoke detection (MASD), point source detection), mechanical and electrical infrastructure
m

spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe,
double-interlocked pre-action, or gaseous sprinkler systems (Control AWSCA-5.7).
kc

Power
The data center electrical power systems supporting AWS are designed to be fully redundant and
I6

maintainable without impact to operations, 24 hours a day, and Uninterruptible Power Supply (UPS) units
provide back-up power in the event of an electrical failure for critical and essential loads in Amazon-owned
EK

data centers and third-party colocation sites where Amazon maintains the UPS units. Amazon-owned data
centers use generators to provide back-up power for the facility (Control AWSCA-5.9 and AWSCA-5.10).
zz

Climate and Temperature

Climate control is required to maintain a controlled operating temperature for servers and other
hardware, which prevents overheating and reduces the possibility of service outages. Amazon-owned
n-

data centers are conditioned to maintain atmospheric conditions at specified levels. Personnel and
systems monitor and control temperature and humidity at appropriate levels. This is provided at N+1 and
ke

also utilizes free cooling as primary source of cooling when and where it is available based on local
environmental conditions (Control AWSCA-5.8).
-to

Environment Management
In Amazon-owned data centers, AWS monitors electrical, mechanical, and life support systems and
equipment so that any issues are immediately identified. This is carried out via daily rounds and readings,
m

in tandem with an overview of our data centers provided via AWS’ Building Management System (BMS)
and Electrical Monitoring System (EMS). Preventative maintenance is performed to maintain the
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

81
 Section III – Description of the Amazon Web Services System

Gw
continued operability of equipment utilizing the Enterprise Asset Management (EAM) tool and trouble
ticketing and change management system. The primary objective of this program is to provide a holistic

A7
insight into Mechanical, Electrical, Plumbing (MEP) Assets owned by AWS infrastructure teams. This
includes providing a centralized repository for equipment, optimizing planned and unplanned
maintenance and managing data center critical spare parts.

7
Management of Media

g1
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning
process that is designed to prevent unauthorized access to assets. AWS uses techniques detailed in NIST
800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process. All production media

Rw
is securely decommissioned in accordance with industry-standard practices (Control AWSCA-5.13).
Production media is not removed from AWS control until it has been securely decommissioned.

D.7 Change Management

ab
Software
AWS applies a systematic approach to managing changes so that changes to customer impacting services

gv
are reviewed, tested, approved, and well communicated (Control Objective 6: Change Management).
Change management processes are based on Amazon change management guidelines and tailored to the
specifics of each AWS service (Control AWSCA-6.1). These processes are documented and communicated
e9
to the necessary personnel by service team management.

The goal of AWS’ change management process is to prevent unintended service disruptions and maintain
m

the integrity of service to the customer. Change details are documented in one of Amazon’s change
management or deployment tools (Control AWSCA-6.2).
kc

Prior to deployment to production environments, changes are:

• Developed: in a development environment that is segregated from the production environment
I6

(Control AWSCA-6.4). Customer content is not used in test and development environments.
•
EK

Reviewed: by peers for technical aspects and appropriateness (Control AWSCA-6.5).

• Tested: to confirm the changes will behave as expected when applied and not adversely impact
performance (Control AWSCA-6.3).
zz

Approved: by authorized team members to provide appropriate oversight and understanding of

business impact (Control AWSCA-6.5).
n-

Changes are typically pushed into production in a phased deployment starting with lowest impact sites.
Deployments are closely monitored so impact can be evaluated. Service owners have a number of
ke

configurable metrics that measure the health of the service’s upstream dependencies. These metrics are
closely monitored with thresholds and alarming in place (e.g., latency, availability, fatal errors, CPU
utilization, etc.). Customer information, including personal information, and customer content are not
-to

used in test and development environments (Control AWSCA-6.7). Rollback procedures are documented
so that team members can revert back to the previous state if needed.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

82
 Section III – Description of the Amazon Web Services System

Gw
When possible, changes are scheduled during regular change windows. Emergency changes to production
systems that require deviations from standard change management procedures are associated with an

A7
incident and are logged and approved as appropriate.

AWS performs deployment validations and change reviews to detect unauthorized changes to its
environment and tracks identified issues to resolution. AWS management reviews and tracks

7
deployment violations for services enrolled in the Deployment Monitoring program as part of the AWS

g1
Security business review. For those services not enrolled in the Deployment Monitoring program, a
secondary monthly review of deployments is conducted within 60 days of the month in which they were
made. If any unauthorized changes are detected or deviates from the standard review and approval

Rw
process, they are tracked to resolution (Control AWSCA-6.6).

Infrastructure
AWS internally developed configuration management software is installed when new hardware is

ab
provisioned. These tools are run on all UNIX hosts to validate that they are configured and software is
installed in a standard manner based on host classes and updated regularly.

gv
Only approved users with verified business needs are authorized through a permissions service may log
in to the central configuration management servers. Host configuration settings are monitored to validate
compliance with AWS security standards and automatically pushed to the host fleet (Control AWSCA-9.4).
e9
Emergency, non-routine and other configuration changes to existing AWS infrastructure are authorized,
logged, tested, approved and documented in accordance with industry norms for similar systems. Updates
m

to AWS infrastructure are performed in such a manner to minimize impact to the customer and their
service use. AWS communicates with customers, either via email, or through the AWS Health Dashboard
kc

(https://status.aws.amazon.com/) when service use may be adversely affected.

D.8 Data Integrity, Availability, Redundancy and Data Retention

I6

AWS seeks to maintain data integrity through all phases including transmission, storage, and processing.
EK

Amazon S3 utilizes checksums internally to confirm the continued integrity of data in transit within the
system and at rest. Amazon S3 provides a facility for customers to send checksums along with data
transmitted to the service. The service validates the checksum upon receipt of the data to determine that
no corruption occurred in transit. Regardless of whether a checksum is sent with an object to Amazon S3,
zz

the service utilizes checksums internally to confirm the continued integrity of data in transit within the
system and at rest. When disk corruption or device failure is detected, the system automatically attempts
n-

to restore normal levels of object storage redundancy (Control AWSCA-7.1, AWSCA-7.2, and AWSCA-7.3).
ke

AWS services and systems hosting customer content are designed to retain customer content until the
customer removes it or the customer agreement ends (Control AWSCA-7.8). Once the contractual
obligation to retain content ends, or upon a customer-initiated action to remove or delete content, AWS
-to

services have processes and procedures to detect a deletion and make the content inaccessible. AWS
utilizes S3, EC2, EBS, Dynamo DB, KMS, and CloudHSM as the primary services for customer content
storage, which individually or in combination are also utilized by many of the other AWS services listed in
the System Overview for storage of customer content. Glacier, RDS Aurora, SimpleDB, SQS, Cloud
m

Directory, Pinpoint, Secrets Manager, Elastic File System, and CloudFront utilize local storage to store
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

83
 Section III – Description of the Amazon Web Services System

Gw
customer content but are not utilized for content storage functionalities by other services, similar to the
primary AWS content storage Services. When customers request data to be deleted, automated processes

A7
are initiated to remove the data and render the content unreadable (Control AWSCA-7.7).

Data Backup
AWS core storage services have the capability to be redundantly stored in multiple physical locations as

7
part of normal operations. Customers should enable backups of their data across AWS services.

g1
Amazon S3 is designed to provide 99.999999999% durability and 99.99% availability of objects over a
given year. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3

Rw
region. To help provide durability, Amazon S3 PUT and COPY operations synchronously store customer
content across multiple facilities before returning SUCCESS. Once stored, Amazon S3 helps maintain the
durability of the objects by detecting and repairing lost redundancy. Amazon S3 also regularly verifies the
integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data. In

ab
addition, Amazon S3 calculates checksums on all network traffic to detect corruption of data packets when
storing or retrieving data (Control AWSCA-7.3, AWSCA-7.4, and AWSCA-7.5).

gv
Amazon EBS replication is stored within the same AZ, not across multiple zones, but customers have the
ability to conduct regular snapshots to Amazon Simple Storage Service (S3) in order to provide long-term
data durability. For customers who have architected complex transactional databases using Amazon EBS,
e9
backups to Amazon S3 can be performed through the database management system so that distributed
transactions and logs can be checkpointed. AWS does not perform backups of data that are maintained
on virtual disks attached to running instances on Amazon EC2.
m

Amazon RDS provides two different methods for backing up and restoring customer DB Instance(s):
kc

automated backups and database snapshots (DB Snapshots). Turned on by default, the automated backup
feature of Amazon RDS enables point-in-time recovery for a DB Instance. Amazon RDS will back up
databases and transaction logs and store both for a user-specified retention period. This allows for
I6

restoration of a DB Instance to any second during the defined retention period, up to the last five minutes.
The automatic backup retention period can be configured to up to 35 days. During the backup window,
EK

storage input/output (I/O) may be suspended for a few seconds, while data is being backed up. This I/O
suspension is avoided with Multi-AZ DB deployments, since the backup is taken from the standby. DB
Snapshots are user-initiated backups of DB Instances. These full database backups will be stored by
zz

Amazon RDS until customers explicitly delete them. Customers can create a new DB Instance from a DB
Snapshot whenever they desire (Control AWSCA-7.6).
n-

E. Monitoring
ke

E.1 Monitoring Activities

AWS utilizes a wide variety of automated monitoring systems to provide a high level of service
-to

performance and availability. AWS defines a Security Incident as a security-related adverse event in which
there was a loss of data confidentiality, disruption of data or systems integrity, or disruption or denial of
availability. AWS monitoring tools are implemented to detect unusual or unauthorized activities and
m

conditions at ingress and egress communication points. These tools monitor server and network usage,
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

84
 Section III – Description of the Amazon Web Services System

Gw
port scanning activities, application usage, and unauthorized intrusion attempts. (Control Objective 8:
Incident Handling).

A7
Systems within AWS are further designed to monitor key operational metrics and alarms are configured
to automatically notify operations and management personnel when early warning thresholds are
crossed. An on-call schedule is used such that personnel are always available to respond to operational

7
issues. This includes a pager system, so that notifications are quickly and reliably communicated to

g1
operations personnel (Control AWSCA-8.1).

Documentation is maintained to aid and inform operations personnel in handling incidents or issues. A

Rw
ticketing system is used which supports communication, progress updates, necessary collaboration
between teams, and logging capabilities. Trained call leaders facilitate communication and progress
during the handling of operational issues that require collaboration. After action reviews are convened
following any significant operational issue, regardless of external impact, and Correction of Errors (COE)

ab
documents are composed such that the root cause is captured and preventative actions may be taken for
the future. Implementation of the preventative measures identified in COEs is tracked during weekly
operations meetings.

gv
The AWS Security Operations team employs industry-standard diagnosis procedures (such as incident
identification, registration and verification, initial incident classification and prioritizing actions) to drive
e9
resolution during business-impacting events. Staff operators in the US, EMEA, and APAC provide 24 x 7
continuous coverage to detect incidents and to manage the impact and resolution (Control AWSCA-8.2).
m

AWS monitors resourcing and staffing through an annual assessment of employee qualification alignment
with entity objectives. As part of this process, management and employees formally evaluate, discuss,
kc

and recognize performance over the last year and set goals and priorities for the next year. Management
further reviews operational plans and goals for the coming period to assess alignment of resources and
employee skill sets.
I6

E.2 Incident Notification

EK

AWS has documented an incident response policy and plan which outlines an organized approach for
responding to security breaches and incidents. The AWS Security team is responsible for monitoring
zz

systems, tracking issues, and documenting findings of security-related events. Records are maintained for
security breaches and incidents, which includes status information, information required for supporting
forensic activities, trend analysis, and evaluation of incident details.
n-

As part of the process, potential breaches of customer content are investigated and escalated to AWS
ke

Security and AWS Legal. Affected customers and regulators are notified of breaches and incidents where
legally required. Customers can subscribe to the AWS Security Bulletins page, which provides information
regarding identified security issues.
-to
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

85
 Section III – Description of the Amazon Web Services System

Gw
Control Objectives and Related Controls

A7
AWS’ control objectives and related controls are included in Section IV of this report, “Description of
Control Objectives, Controls, Tests, and Results of Tests,” to eliminate the redundancy that would result
from listing them in this section and repeating them in Section IV. Although the control objectives and
related controls are included in Section IV, they are nevertheless an integral part of AWS’ description of

7
controls.

g1
Complementary User Entity Controls

Rw
AWS services were designed with the assumption that certain policies, procedures, and controls are
implemented by its user entities (or customers). In certain situations, the application of specific policies,
procedures, and controls by the customer is necessary to achieve certain control objectives included in
this report. This section describes the additional policies, procedures, and controls customers may need

ab
to implement in order to satisfy the control objectives for customers’ specific use cases.

Security Organization

gv
• Customers should maintain formal policies that provide guidance for information security within
the organization and the supporting IT environment.
e9
• Customers should assess the objectives for their AWS cloud services network when designing IT
components by identifying the risk and corresponding controls to be implemented to address
m

those risks when using AWS services, software and implementing AWS operational controls.
kc

Logical Security

• Customers should use asymmetric key-pairs or multi-factor authentication to access their hosts
I6

and avoid simple password-based authentication.

• EC2 Classic-Specific – Customers using the EC2 Classic service should augment the AWS instance
EK

firewalls with a host-based firewall for redundancy and egress filtering.

• Customers should implement access controls, such as Security-Groups, IAM roles and/or Access
control lists (ACLs), to segment and isolate like-functioning instances.
zz

• Customers should transmit secret keys over secure channels. Customers should avoid embedding
secret keys in web pages or other publicly accessible source code. Customers should encrypt
n-

sensitive data at rest as well as in transit over the network.

• VPC-Specific – Customers are responsible for their network security requirements and connecting
ke

their Amazon Virtual Private Cloud to an appropriate point of their internal network.
• S3-Specific – Customers should utilize managed rules and ACLs to secure their S3 buckets by
-to

controlling access to the S3 buckets and preventing them being accessible to the public.
• AppStream 2.0-Specific – Customers are responsible for managing user access to streaming
instances and should maintain controls for approving and granting access, timely removing access
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

86
 Section III – Description of the Amazon Web Services System

Gw
when an employee leaves the organization or changes job responsibilities, and periodically
reviewing appropriate access levels for existing users.

A7
Secure Data Handling

7
• Customers should use encrypted (TLS/SSL) connections for all of their interactions with AWS.
Leading practices include the use of TLS 1.2. Customers should opt in for annual key rotation for

g1
any KMS key they would like rotated.
• Customers should utilize multi-factor authentication for controlling access to their root account

Rw
credentials and should avoid using root account credentials beyond initial account configuration
of AWS Identity and Access Management (IAM), except for Services for which IAM is not available.
Customers should delete access key(s) for the root account when not in use.
•

ab
Customers should appropriately configure and manage usage and implementation of available
encryption options to meet their requirements.
• Outpost-Specific – Customers should restrict and monitor physical access to data centers and

gv
facilities hosting Outpost devices to personnel based on job responsibilities.
• Outpost-Specific – Customers are responsible for verifying their site meets the Outpost
e9
requirements for facility, networking, and power as published on
https://docs.aws.amazon.com/outposts/latest/userguide/outposts-requirements.html.
• Outpost-Specific – Customers are responsible for removal of the Nitro Security Key (NSK) to
m

ensure customer content is crypto shredded from the Outpost before returning it to AWS.
kc

Change Management

• Customers are responsible for maintaining the application of patches to customer’s Amazon
I6

instances. Customers can leverage automated patching tools such as AWS Systems Manager
Patch Manager to help deploy operating systems and software patches automatically across large
EK

groups of instances.
• Customers should set up separate development and production accounts to isolate the
production system from development work.
zz

• App Mesh-Specific - Customers utilizing their own Envoy image should follow a documented
change management process to ensure updated configurations are documented, tested and
n-

approved prior to deployment to customer production instances.

ke

Data Integrity, Availability, and Redundancy

• Customers should utilize Amazon S3’s option to specify an MD5 checksum as part of a REST PUT
-to

operation for the data being sent to Amazon S3. When the request arrives at Amazon S3, an MD5
checksum will be recalculated for the object data received and compared to the provided MD5
checksum. If there is a mismatch, the PUT will be failed, preventing data that was corrupted on
m

the wire from being written into Amazon S3. Customers should use the MD5 checksums returned
r

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

87
 Section III – Description of the Amazon Web Services System

Gw
in response to REST GET requests to confirm that the data returned by the GET was not corrupted
in transit.

A7
• Any code customers write to call Amazon APIs should expect to receive and handle errors from
the service. Specific guidance for each service can be found within the User Guide and API
documentation for each service.

7
• EBS-Specific – Amazon EBS replication is stored within the same AZ, not across multiple zones,

g1
and therefore customers should conduct regular snapshots to Amazon S3 in order to provide long-
term data durability.
• EC2/VPC-Specific – Data stored on Amazon EC2 virtual disks should be proactively copied to

Rw
another storage option for redundancy.
• Customers should ensure their AWS resources such as server and database instances have the
appropriate levels of redundancy and isolation. Redundancy can be achieved through utilization

ab
of the Multi-Region and Multi-AZ deployment option where available.
• Customers should enable backups of their data across AWS services.

gv
• Customer should enable and configure service-specific logging features where available for all
services and implement appropriate monitoring and incident response processes.
•
e9
Customers should ensure appropriate logging for events such as administrator activity, system
errors, authentication checks, data deletions etc. is in place to support monitoring and incident
response processes.
m

• Snowball/Snowmobile/Snowball Edge-Specific – Customers should not delete any local copies of

their data until they have verified that it has been copied into AWS.
kc

• Snowball Edge/Snowmobile-Specific – All data is encrypted before persisting. With Snowball Edge
and Snowmobile, there are short periods where customer content is in plain text prior to
I6

encryption and persistence. If a customer is concerned about this short period, they should
encrypt their data before sending it to the device.
EK

• EC2-Specific – Customers are responsible for configuring the Time Sync functionality and
monitoring the synchronization for accuracy across their EC2 instances, as published by AWS in
user guide documentation - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-
zz

time.html#configure-amazon-time-service-amazon-linux.

Incident Handling
n-

• Customers may subscribe to Premium Support offerings that include direct communication with
ke

the customer support team and proactive alerting to any issues that may impact the customer.

The list of control considerations presented above does not represent all the controls that should be
-to

employed by the customer. Other controls may be required. Customers should reference additional AWS
service documentation on the AWS website.
mr

Proprietary and Confidential Information - Trade Secret

te

©2024 Amazon.com, Inc. or its affiliates

88
 Gw
7 A7
g1
Rw
ab
gv
e9
m

SECTION IV – Description of Control Objectives, Controls,

kc

Tests, and Results of Tests

I6
EK
zz
n-
ke
-to
mr
te

AWS Confidential
89
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Testing Performed and Results of Entity-Level Controls

A7
In planning the nature, timing and extent of testing of the controls, EY considered the aspects of AWS’
control environment and tested those controls that were considered necessary.

In addition to the tests of operating effectiveness of specific controls described below, procedures

7
included tests of the following components of the internal control environment of AWS:

g1
• Management controls and organizational structure
• Risk assessment process

Rw
• Information and communication
• Control activities

ab
• Monitoring

Tests of the control environment included the following procedures, to the extent EY considered

gv
necessary: (a) a review of AWS’ organizational structure, including the segregation of functional
responsibilities, policy statements, processing manuals and personnel controls, (b) discussions with
management, operations, administrative and other personnel who are responsible for developing,
e9
ensuring adherence to and applying controls, and (c) observations of personnel in the performance of
their assigned duties.
m

The control environment was considered in determining the nature, timing and extent of the testing of
controls and controls relevant to the achievement of the control objectives.
kc

Procedures for Assessing Completeness and Accuracy of Information Provided by the Entity (IPE)
I6

For tests of controls requiring the use of IPE (e.g., controls requiring system-generated populations for
sample-based testing), EY performed a combination of the following procedures where possible based on
EK

the nature of the IPE to address the completeness, accuracy, and data integrity of the data or reports
used: (1) inspect the source of the IPE, (2) inspect the query, script, or parameters used to generate the
IPE, (3) tie data between the IPE and the source, and/or (4) inspect the IPE for anomalous gaps in sequence
zz

or timing to determine the data is complete, accurate, and maintains its integrity. In addition to the above
procedures, for tests of controls requiring management’s use of IPE in the execution of the controls (e.g.,
periodic reviews of user access listings), EY inspected management’s procedures to assess the validity of
n-

the IPE source and the completeness, accuracy, and integrity of the data or reports.
ke

Control Objectives and Related Controls

On the pages that follow, the description of control objectives and the controls to achieve the objectives
-to

have been specified by, and are the responsibility of, AWS. The “Tests Performed by EY” and the “Results
of Tests” are the responsibility of the service auditor.
m

Note: A comparison of AWS controls that have been revised during the examination period is provided in
Section V of this report, “Other Information Provided By Amazon Web Services” for informational
purposes.
r
te

AWS Confidential
90
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Information System Control Environment

A7
The following controls apply to the services listed in the System Description and their supporting data
centers, except where controls are unique to one of the services – in those cases, the controls are
indicated as “S3-Specific,” “EC2-Specific,” “VPC-Specific,” “KMS-Specific,” “RDS-Specific,” “Outposts-
Specific,” or otherwise noted as being specific to a certain service or set of services.

7
g1
Control Objective 1: Security Organization

Controls provide reasonable assurance that information security policies have been implemented and

Rw
communicated throughout the organization.

Controls Specified by AWS Tests Performed by EY Results of Tests

ab
AWSCA-1.1: The AWS Inquired of an AWS Security Assurance No deviations noted.
organization has defined Program Manager to ascertain the AWS
structures, reporting lines with organization has defined structures,

assigned authority and
responsibilities to appropriately
meet requirements relevant to
security, availability,
confidentiality, and privacy.
gv
reporting lines with assigned authority,
and responsibilities to appropriately meet
business requirements, including an
e9
information security function.
Inspected the organizational chart and No deviations noted.
m

information security governance

procedures document to ascertain the
kc

AWS organization has defined structures,

reporting lines with assigned authority,
and responsibilities to appropriately meet
I6

security, availability, confidentiality, and

privacy requirements, including an
EK

information security function.

Inspected the Integrated Information No deviations noted.

Security Management System policy to
zz

ascertain the full document was approved

within the last year by Security Leadership
and that minor changes were approved by
n-

appropriate members of the Security

team.
ke
-to
mr
te

AWS Confidential
91

Control Objective 1: Security Organization
Controls provide reasonable assurance that information security policies have been implemented and
communicated throughout the organization.
Controls Specified by AWS
AWSCA-1.2: AWS maintains
formal policies that provide
guidance for information
security within the organization
and the supporting IT
environment.
AWSCA-1.3: Security policies are
reviewed and approved on an
annual basis by Security
Leadership.
EK
zz
AWSCA-1.4: AWS maintains
employee training programs to
promote awareness of AWS
n-
information security
requirements as defined in the
ke
AWS Security Awareness
Training Policy.
-to
m
r
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of an AWS Security Assurance No deviations noted.
Program Manager to ascertain formal
security policies exist, including
Rw
designation of responsibility and
accountability for managing the system
and controls, and providing guidance for
information security within the
ab
organization and the supporting IT
environment.
gv
Inspected the information security policies No deviations noted.
listed in the System Description to
ascertain they included organization-wide
e9
security procedures as guidance for the
AWS environment and the supporting IT
environment.
m
Inquired of an AWS Security Assurance No deviations noted.
kc
Program Manager to ascertain the security
policies were reviewed and approved at
least annually by Security Leadership.
I6
Inspected the security policies listed in the No deviations noted.
System Description to ascertain they were
approved at least annually by Security
Leadership.
Inquired of a Security Program Manager to No deviations noted.
ascertain employee training programs
were established to promote awareness of
AWS information security requirements.
For a sample of AWS employees selected No deviations noted.
from the HR active employees and
contractors listing, inspected the training
transcript to ascertain the employees
completed the Amazon Security
Awareness (ASA) training course within 60
AWS Confidential
92

Control Objective 1: Security Organization
Controls provide reasonable assurance that information security policies have been implemented and
communicated throughout the organization.
Controls Specified by AWS
AWSCA-1.5: AWS maintains a
formal risk management
program to identify, analyze,
treat and continuously monitor
and report risks that affect AWS’
business objectives and
regulatory requirements. The
program identifies risks,
documents them in a risk
register as appropriate, and
reports results to leadership at
least semi-annually.
EK
zz
n-
AWSCA-1.6: KMS-Specific –
ke
Roles and responsibilities for
KMS cryptographic custodians
are formally documented and
-to
agreed to by those individuals
when they assume the role or
when responsibilities change.
m
r
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
days of role assignment and that the
training course included information
security requirements as defined in the
Rw
AWS Security Awareness Training Policy.
Inquired of an AWS Senior Risk Manager No deviations noted.
to ascertain a formal risk management
ab
program was maintained to continually
discover, research, plan, resolve, monitor,
and optimize information security risks,
gv
including an evaluation of the design and
operating effectiveness of implemented
controls.
e9
Inspected the risk management No deviations noted.
documentation to ascertain the AWS
m
Business Risk Management Program policy
was designed to include the continuous
kc
discovery, research, planning, resolution,
monitoring, and optimization of
information security risks as well as
I6
detailed risk treatment options such as
acceptance, avoidance, mitigation, and
transfer.
For a sample of risks selected from the risk No deviations noted.
register, inspected relevant
documentation to ascertain the risk was
identified, researched, planned, resolved,
and monitored by management.
Inquired of a Cryptography Software No deviations noted.
Development Manager to ascertain roles
and responsibilities for KMS cryptographic
custodians were formally documented and
acknowledged by those individuals when
assumed or when responsibilities change.
For a sample of individuals selected from No deviations noted.
the KMS cryptographic custodians group
with access to systems that store or use
AWS Confidential
93

Control Objective 1: Security Organization
Controls provide reasonable assurance that information security policies have been implemented and
communicated throughout the organization.
Controls Specified by AWS
AWSCA-1.9: AWS prepares and
consolidates the operational
planning document annually.
The operational plan includes
operational and performance
objectives, regulatory and
compliance requirements with
sufficient clarity to enable the
identification and assessment of
risks relating to objectives.
EK
AWSCA-1.10: AWS has a process
in place to review
zz
environmental and geo-political
risks before launching a new
region.
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
key material, inspected the roles and
responsibilities documents to ascertain
user responsibilities were formally
Rw
documented and that the individuals
signed the document.
Inquired of the Financial Planning and No deviations noted.
ab
Analysis Senior Manager to ascertain AWS
prepared and consolidated the
operational planning document annually
gv
including operational and performance
objectives as well as regulatory and
compliance requirements with sufficient
e9
clarity to enable the identification and
assessment of risks relating to objectives.
m
Inspected the deliverable tracker and No deviations noted.
meeting invites related to the creation of
kc
the operational planning document to
ascertain it included operational and
performance objectives as well as
I6
regulatory and compliance requirements
that identified and assessed risks relating
to those objectives.
Inquired of the Risk and Resiliency Senior No deviations noted.
Manager to ascertain environmental and
geo-political risks were reviewed before
launching new data center regions.
For all new in-scope data center regions No deviations noted.
selected from the data center inventory
system, inspected review documentation
to ascertain a review of environmental
and geopolitical risks was performed
before the new data center region was
launched.
AWS Confidential
94

Control Objective 2: Employee User Access
Controls provide reasonable assurance that procedures have been established so that Amazon
employee user accounts are added, modified and deleted in a timely manner and reviewed on a
periodic basis.
Controls Specified by AWS
AWSCA-2.1: User access to the
internal Amazon network is not
provisioned unless an active
record is created in the HR
System by Human Resources.
Access is automatically
provisioned with least privilege
per job function. First time
passwords are set to a unique
value and changed immediately
after first use.
EK
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of a Corporate Systems Manager
No deviations noted.
to ascertain user access to the internal
Amazon network was not activated unless
Rw
an active record was created in the HR
System by Human Resources, that access
was automatically provisioned with least
privilege per job function, and that first-
ab
time passwords were set to a unique value
and changed immediately after first use.
gv
Inspected the system configurations
No deviations noted.
responsible for provisioning access to the
internal Amazon network to ascertain
e9
access to Windows and UNIX user
accounts could not be provisioned unless
m
an active record was created in the HR
System by Human Resources, that access
was provisioned automatically with least
kc
privilege per job function prior to
employee start dates, and that first time
passwords were configured to create a
I6
unique value and were required to be
changed immediately after first use.
For one corporate new hire and one
No deviations noted.
associate new hire selected from an HR
system generated listing of new hires,
inspected the employee’s HR System
record to ascertain the HR system
activated the employee’s record prior to
the creation of an employee’s Windows
and UNIX accounts and that the first time
passwords are changed immediately after
employee's first use of the account.
AWS Confidential
95

Control Objective 2: Employee User Access
Controls provide reasonable assurance that procedures have been established so that Amazon
employee user accounts are added, modified and deleted in a timely manner and reviewed on a
periodic basis.
Controls Specified by AWS
AWSCA-2.2: IT access above
least privileged, including
administrator accounts, is
approved by appropriate
personnel prior to access
provisioning.
AWSCA-2.3: IT access privileges
are reviewed on a periodic basis
EK
by appropriate personnel.
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of Software Development
No deviations noted.
Managers to ascertain IT access above
least privileged, including administrator
Rw
accounts, was approved by appropriate
personnel prior to access provisioning.
ab
Inspected the system configurations
No deviations noted.
responsible for the access provisioning
gv
process to ascertain IT access above least
privileged, including administrator
accounts, was required to be approved by
e9
appropriate personnel prior to automatic
access provisioning.
m
For one active employee, inspected the
No deviations noted.
process of access provisioning to ascertain
approval of the access was provided by
kc
appropriate personnel prior to the
automatic provisioning of the access.
I6
Inquired of Software Development
No deviations noted.
Managers to ascertain access to systems
supporting the infrastructure and network
above least privilege was reviewed and
approved on a quarterly basis by
appropriate personnel.
Inquired of Software Development
No deviations noted.
Managers to ascertain access to internal
AWS accounts above least privilege was
reviewed and approved on a semi-annual
basis by appropriate personnel.
AWS Confidential
96
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 2: Employee User Access

A7
Controls provide reasonable assurance that procedures have been established so that Amazon
employee user accounts are added, modified and deleted in a timely manner and reviewed on a
periodic basis.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
Inspected the system configurations
No deviations noted.
responsible for the access review process
to ascertain IT infrastructure and network

Rw
access privileges were reviewed on a
quarterly basis by appropriate personnel
or access was automatically removed.

ab
Inspected the system configurations
No deviations noted.
responsible for the temporary access
revocation process to ascertain when the

gv
temporary privileges to resources expired,
access to the resources was automatically
removed.
e9
Inspected the system configurations
No deviations noted.
responsible for the internal transfer
m

revocation process to ascertain when

users transferred internally, access to the
kc

previous resources was automatically

removed.
I6

Selected an active access group of IT

No deviations noted.
infrastructure and network access
EK

privileges marked for removal as part of

the user access review process and
inspected the access log to ascertain
zz

access was automatically revoked.

Observed a Software Development

No deviations noted.
n-

Manager mark an active internal AWS

account for removal as part of the user
access review process and inspected the
ke

account after the review to ascertain

access was automatically revoked.
-to
mr
te

AWS Confidential
97
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 2: Employee User Access

A7
Controls provide reasonable assurance that procedures have been established so that Amazon
employee user accounts are added, modified and deleted in a timely manner and reviewed on a
periodic basis.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
Selected a user with temporary access to
No deviations noted.
the IT infrastructure and network access
privileges to ascertain that when the

Rw
temporary privileges to the resource
expired, access was automatically
revoked.

ab
Selected an active access group of IT
No deviations noted.
infrastructure and network access
privileges that was not reviewed during

gv
the quarter and inspected the access log
to ascertain access privileges were
automatically revoked.
e9
Selected an active access group and
No deviations noted.
inspected the access review process to
m

ascertain IT infrastructure and network

access privileges were reviewed quarterly
kc

by appropriate personnel.

Selected a sample of AWS accounts from a

I6

No deviations noted.
system generated listing of active internal
AWS accounts and inspected the access
EK

review process to ascertain internal AWS

account access privileges were reviewed
semi-annually by appropriate personnel.
zz

AWSCA-2.4: User access to Inquired of a Corporate Systems Manager

No deviations noted.
Amazon systems is revoked to ascertain access to systems was
n-

within 24 hours of the employee automatically revoked within 24 hours of

record being terminated an employee record being terminated
(deactivated) in the HR System.
ke
-to
mr
te

AWS Confidential
98
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 2: Employee User Access

A7
Controls provide reasonable assurance that procedures have been established so that Amazon
employee user accounts are added, modified and deleted in a timely manner and reviewed on a
periodic basis.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

(deactivated) in the HR System
by Human Resources.
g1
Inspected the system configurations
No deviations noted.
responsible for terminating access to
Amazon systems, to ascertain access to

Rw
Windows and UNIX user accounts were
configured to be automatically revoked
within 24 hours after an employee’s

ab
record was terminated (deactivated) in
the HR System by Human Resources.

For one voluntarily terminated employee

gv
No deviations noted.
and one involuntarily terminated
employee selected from an HR system
generated listing of terminated
e9
employees, inspected each employee's HR
system record, to ascertain access to the
m
Amazon systems was automatically
revoked within 24 hours on both
Unix/LDAP and Windows/AD accounts.
kc
I6
EK
zz
n-
ke
-to
mr
te

AWS Confidential
99
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

AWSCA-2.5: Password settings are
managed in compliance with
Amazon.com’s Password Policy.
g1
Inquired of a Corporate Systems Manager
No deviations noted.
and Corporate Response Manager to
ascertain password complexity, length,

Rw
maximum age, history, lockout and
credential monitoring was enforced per
the Amazon.com Password Policy.

ab
Inspected the password configurations to
No deviations noted.
ascertain they were configured to enforce
the Amazon.com Password Policy,

gv
including:

• Passwords must be at least eight (8)

e9
characters long

• Passwords must contain a combination

m

of letters, numbers, and special characters

kc

• Passwords must not contain the user’s

real name or username
I6

• Passwords must not be modifications or

increments of a recently used password
EK

for the account

• Accounts are set to lockout after 6

invalid attempts
zz
n-
ke
-to
mr
te

AWS Confidential
100
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
Observed that the following password
No deviations noted.
configurations were enforced according to
the Amazon.com Password Policy after

Rw
attempting to set a combination of out-of-
policy passwords using the password tool
within the production environment:

ab
• Passwords must be at least eight
characters long

gv
• Passwords must contain a combination
of letters, numbers, and special characters
e9
• Passwords must not contain the user’s
real name or username
m

• Passwords must not be the same as or

similar to a recently used password
kc

• Passwords must not contain 'Amazon' or

any other business name
I6

Inspected the credential compromise

No deviations noted.
monitoring configuration to ascertain that
EK

tickets for incidents were created

automatically and logged within a
ticketing system per the Amazon.com
zz

Password Policy.

Inspected an incident ticket created for

n-

No deviations noted.
impacted user credentials to ascertain
credentials of flagged Amazon accounts
ke

were identified, tracked and rotated in a

timely manner.
-to
mr
te

AWS Confidential
101
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

AWSCA-2.6: AWS requires two-
factor authentication over an
approved cryptographic channel
g1
Inquired of a Corporate Systems Manager
No deviations noted.
to ascertain two-factor authentication
over an approved cryptographic channel

Rw
for authentication to the internal was required to access the Amazon
AWS network from remote corporate network from remote locations.
locations.

ab
Inspected the authentication protocol
No deviations noted.
configuration to ascertain authentication

gv
to the internal AWS network from remote
locations required two-factor
authentication over an approved
e9
cryptographic channel.

Attempted to login to the Amazon

No deviations noted.
m
corporate network from a remote location
to ascertain both a physical token and
password were required to access the
kc

Amazon corporate network over an

approved cryptographic channel.
I6

AWSCA-3.1: Firewall devices are Inquired of an AWS Infrastructure Security

No deviations noted.
configured to restrict access to the Engineer to ascertain firewall devices were
EK

computing environment and configured to restrict access to the

enforce boundaries of computing computing environment and enforce
clusters. boundaries of computing clusters.
zz

For a sample of firewalls selected from a

No deviations noted.
system generated list of in-scope firewalls,
n-

inspected the access control lists to

ascertain the devices were configured to
ke

deny all access to the computing

environment and enforce boundaries of
computing clusters, unless explicitly
-to

authorized.
mr
te

AWS Confidential
102

Control Objective 3: Logical Security
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.
Controls Specified by AWS
AWSCA-3.2: Firewall policies
(configuration files) are
automatically pushed to
production firewall devices.
AWSCA-3.3: Firewall policy updates
are reviewed and approved.
I6
EK
zz
n-
ke
AWSCA-3.4: AWS performs
external vulnerability assessments
at least quarterly, identified issues
-to
are investigated and tracked to
resolution in a timely manner.
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of an AWS Infrastructure Security
No deviations noted.
Engineer to ascertain firewall policies
were automatically pushed to production
Rw
firewall devices.
For a sample of firewall devices selected
No deviations noted.
from a system generated list of in-scope
ab
firewalls, inspected the deployment log
output to ascertain policies were
automatically pushed to production
gv
firewall devices.
Inquired of an AWS Infrastructure Security
e9
No deviations noted.
Engineer to ascertain data center firewall
policy updates were reviewed and
approved.
m
For a sample of firewall policy updates
kc
No deviations noted.
selected from a system generated list of
in-scope firewalls with firewall policy
updates applied, inspected approval
evidence to ascertain they were reviewed
and approved by appropriate personnel
prior to implementation.
For a sample of employees selected from a
No deviations noted.
system generated list of individuals
eligible to approve ACL requests,
inspected the job title and team of the
employee to ascertain that approval and
user access rights were appropriate.
Inquired of an AWS Security Technical
No deviations noted.
Program Manager to ascertain quarterly
external vulnerability assessments were
performed and that identified issues were
investigated and tracked to resolution.
AWS Confidential
103
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
Inspected the listing of production end
No deviations noted.
points used by the vulnerability
assessment tools of the quarterly external

Rw
vulnerability assessments performed to
ascertain production hosts for the in-
scope services (that supported public end

ab
points) were included in the quarterly
scans.

For a sample of quarters, inspected

gv
No deviations noted.
evidence of external vulnerability
assessments to ascertain the assessments
were performed, results were
e9
documented, and that the process existed
for any identified issues to be tracked,
m
addressed, and resolved in a timely
manner.
kc

AWSCA-3.5: AWS enables Inquired of Software Development

No deviations noted.
customers to articulate who has Managers to ascertain AWS enabled
access to AWS services and customers were able to articulate (or
I6

resources (if resource-level select) who has access to AWS services

permissions are applicable to the and resources that they owned, that
EK

service) that they own. AWS customers were prevented from accessing
prevents customers from accessing AWS resources that were not assigned to
AWS resources that are not them via access permissions, and that
zz

assigned to them via access content was only returned to individuals

permissions. Content is only authorized to access the specific AWS
returned to individuals authorized service or resource.
n-

to access the specified AWS service

or resource (if resource-level
ke

permissions are applicable to the

service).
-to
mr
te

AWS Confidential
104
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
Inspected the configurations in-place for
No deviations noted.
the AWS services that managed external
access to AWS services and resources (if

Rw
resource-level permissions were
applicable to the service), to ascertain
services were designed to return content

ab
only to individuals authorized to access
the specified AWS service or resource, and
that AWS prevented customers from

gv
accessing resources that had not been
assigned to them via access permissions.

Observed a user with authorized access

e9
No deviations noted.
permissions attempt to access AWS
services and resources, to ascertain that
m
services returned content only to
individuals authorized to access the
specified AWS service or resource.
kc

Observed a user without authorized

No deviations noted.
access permissions attempt to access AWS
I6

services and resources, to ascertain that

services did not return content to
EK

individuals without authorized access to

the specified AWS service or resource.
zz

AWSCA-3.6: AWS performs Inquired of an Application Security

No deviations noted.
application security reviews for Technical Program Manager to ascertain
externally launched products, AWS performed application security
n-

services, and significant feature reviews for launched products, services,

additions prior to launch to and significant feature additions prior to
ke

evaluate whether security risks are launch to evaluate whether security risks
identified and mitigated. were identified and mitigated.
-to
mr
te

AWS Confidential
105

Control Objective 3: Logical Security
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.
Controls Specified by AWS
AWSCA-3.7: S3-Specific – Network
devices are configured by AWS to
only allow access to specific ports
on other server systems within
Amazon S3.
I6
EK
AWSCA-3.8: S3-Specific – External
data access is logged with the
following information: data
zz
accessor IP address, object and
operation. Logs are retained for at
least 90 days.
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
For a sample of products, services, and
No deviations noted.
significant feature additions selected from
a system generated list of trouble tickets
Rw
representing launches during the period,
inspected the Application Security team’s
review to ascertain the products, services,
ab
and significant feature additions were
reviewed prior to launch.
Inquired of an S3 Software Development
gv
No deviations noted.
Manager to ascertain network devices
were configured to only allow access to
specific ports on server systems within
e9
Amazon S3.
For a sample of S3 network devices
m
No deviations noted.
selected from a listing of S3 network
devices generated from the S3 code
kc
repository, inspected the configuration
settings to ascertain the devices were
configured to only allow access to
specified ports.
Inquired of an S3 Software Development
No deviations noted.
Engineer to ascertain external data access
was logged with the data accessor IP
address, object, and operation, and that
logs were retained for at least 90 days.
Inspected the configuration settings
No deviations noted.
pushed to the S3 web servers to ascertain
the servers were configured to log the
data accessor IP address, object, and
operation information.
AWS Confidential
106
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
For a sample of AWS Availability Zones
No deviations noted.
(AZs) selected from a listing of AZs
generated from the AZ code repository,

Rw
inspected the environment operational
configurations for log retention of external
access to data to ascertain that logs were

ab
configured to be retained for 90 days.

Observed a Software Development

No deviations noted.
Engineer perform an access operation on

gv
an S3 object and inspected the external
data access log output after 90 days to
ascertain the following information was
e9
logged for at least 90 days: data accessor
IP accessing the data, object accessed, and
m
operation performed.

AWSCA-3.9: EC2-Specific – Physical Inquired of an EC2 Security Manager to

kc

hosts have host-based firewalls to
prevent unauthorized access.
I6
No deviations noted.
ascertain EC2 physical hosts had host-
based firewalls, or access was logically
restricted, to prevent unauthorized access.

Inspected system configurations

EK

No deviations noted.
responsible for configuring a new host to
ascertain that host-based firewalls were
automatically added during the build
zz

process of new hosts.

Inspected the monitoring configurations of

No deviations noted.
n-

physical hosts to ascertain that monitoring

was in place to notify service team
members in the case that a physical host
ke

did not have an active firewall.

Observed an EC2 Security Engineer make

-to

No deviations noted.
an API request with and without the
appropriate token to ascertain a host-
based access token was required to
m

authorize access to the host.

r
te

AWS Confidential
107
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
For a sample of EC2 physical hosts
No deviations noted.
supporting in-scope AWS regions selected
from listings of production hosts for each

Rw
region, inspected the host-based firewall
settings to ascertain host-based firewalls
were in place and operational to prevent

ab
unauthorized access.

AWSCA-3.10: EC2-Specific – Virtual Inquired of an EC2 Security Manager to

No deviations noted.
hosts are behind software firewalls ascertain virtual hosts were behind

which are configured to prevent
TCP/IP spoofing, packet sniffing,
and restrict incoming connections
to customer-specified ports.
gv
software firewalls, which prevented
TCP/IP spoofing, packet sniffing, and
restricted incoming connections to
e9
customer-specified ports.

Observed an EC2 Security Engineer create

m

No deviations noted.
a virtual EC2 host with a firewall
configured to communicate with only
kc

specified IP addresses and ascertained

that communications with the specified IP
address were successful.
I6

Observed an EC2 Security Engineer

EK

No deviations noted.
attempt to communicate with an
unspecified IP address to ascertain the
attempts were denied.
zz

Observed an EC2 Security Engineer create

No deviations noted.
a virtual EC2 host and inspected the IP
n-

table configurations to ascertain traffic

was routed to prevent TCP/IP spoofing.
ke

Observed an EC2 Security Engineer create

No deviations noted.
two EC2 instances on a single physical EC2
host and generate network traffic on each
-to

instance to ascertain neither of the

instances was able to packet sniff the
traffic of the other instance.
mr
te

AWS Confidential
108

Control Objective 3: Logical Security
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.
Controls Specified by AWS
AWSCA-3.11: EC2-Specific – AWS
prevents customers from accessing
custom AMIs not assigned to them
by a property of the AMI called
launch-permissions. By default, the
launch-permissions of an AMI
restrict its use to the
customer/account that created and
registered it.
AWSCA-3.12: EC2-Specific – AWS
prevents customers from accessing
I6
physical hosts or instances not
assigned to them by filtering
EK
through the virtualization software.
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of an EC2 Security Manager to
No deviations noted.
ascertain AWS prevented customers from
accessing custom AMIs not assigned to
Rw
them by default launch-permissions.
Inspected the AMI launch-permissions
No deviations noted.
configuration within the AWS console to
ab
ascertain that by default the launch
permission of an AMI restricted its use to
the account that created it unless the
gv
customer granted access permissions.
Created an AMI, attempted to access the
e9
No deviations noted.
AMI without the designated launch
permissions, and per inspection of the
error message within the AWS
m
management console, ascertained access
was restricted.
kc
Inquired of an EC2 Security Manager to
No deviations noted.
ascertain customers were restricted from
accessing physical hosts or instances not
assigned to them by filtering through the
virtualization software.
Observed an EC2 Security Engineer
No deviations noted.
attempt to IP ping the physical EC2 host
from an EC2 instance within the host, to
ascertain the physical host was isolated
from the instances.
Observed an EC2 Security Engineer
No deviations noted.
attempt to access a file stored on an EC2
instance from the physical EC2 host the
instance was located on, to ascertain the
instances located on physical hosts were
not able to be accessed.
AWS Confidential
109

Control Objective 3: Logical Security
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.
Controls Specified by AWS
AWSCA-3.13: VPC-Specific –
Network communications within a
VPC are isolated from network
communications within other VPCs.
I6
AWSCA-3.14: VPC-Specific –
Network communications within a
EK
VPN Gateway are isolated from
network communications within
other VPN Gateways.
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Observed an EC2 Security Engineer
No deviations noted.
attempt to access a file stored on an EC2
instance from a different instance on the
Rw
same physical EC2 host, to ascertain the
instances on the same physical hosts were
isolated from one another.
ab
Inquired of an EC2 Networking Software
No deviations noted.
Development Engineer to ascertain
network communications between
gv
different VPCs were isolated from one
another.
e9
Observed an EC2 Networking Software
No deviations noted.
Development Engineer configure the VPC
infrastructure for two VPCs and attempt
m
to communicate between instances across
the two VPCs to ascertain network
kc
communication between the two VPCs
was isolated.
Inquired of an EC2 Networking Software
No deviations noted.
Development Engineer to ascertain
network communications between VPN
gateways were isolated from one another.
Observed an EC2 Networking Software
No deviations noted.
Development Engineer configure a VPC
infrastructure with two VPN Gateways and
attempt to communicate between
instances across the two VPN Gateways,
to ascertain network communication
between VPN gateways was isolated.
AWS Confidential
110

Control Objective 3: Logical Security
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.
Controls Specified by AWS
AWSCA-3.15: VPC-Specific –
Internet traffic through an Internet
Gateway is forwarded to an
instance in a VPC only when an
Internet Gateway is attached to the
VPC and a public IP is mapped to
the instance in the VPC.
AWSCA-3.16: AWS maintains
formal policies and procedures that
I6
provide guidance for operations
and information security within the
EK
organization and the supporting
AWS environments. The mobile
device policy provides guidance on:
zz
• Use of mobile devices.
• Protection of devices that
n-
access content for which
Amazon is responsible.
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of an EC2 Security Engineer to
No deviations noted.
ascertain internet traffic through an
Internet Gateway was only forwarded to
Rw
an instance in a VPC when an Internet
Gateway was attached to the VPC and a
public IP was mapped to the instance in
ab
the VPC.
Created a VPC, attached an Internet
No deviations noted.
Gateway, allocated a public IP, and per
gv
inspection of traffic on an instance,
ascertained traffic was successfully
forwarded.
e9
Removed the Internet Gateway and public
No deviations noted.
IP from the VPC and per inspection of the
m
traffic on the instance, ascertained traffic
was prevented from being forwarded.
kc
Inquired of an AWS Risk Management
No deviations noted.
Program Manager to ascertain formal
policies and procedures for the use of
mobile devices existed and included
guidance for operations and information
security for organizations that support
AWS environments.
Inspected the AWS internal website to
No deviations noted
ascertain formal policies and procedures
for the use of mobile devices were
available to AWS employees.
AWS Confidential
111

Control Objective 3: Logical Security
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.
Controls Specified by AWS
• Remote wipe capability.
• Password-guessing
protection restrictions.
• Remote synchronization
requirements.
• Security patch requirements
• Approved methods for
accessing Amazon data
AWSCA-3.17: Outpost-Specific –
Service link is established between
Outpost and AWS Region by use of
a secured VPN connection over
public internet or AWS Direct
I6
Connect.
EK
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inspected the mobile device policy to
No deviations noted.
ascertain it included organization-wide
security procedures as guidance for the
Rw
AWS environment regarding:
• Use of mobile devices
• Protection of devices that access content
ab
for which Amazon is responsible
• Remote wipe capability
• Password-guessing protection
gv
restrictions
• Remote synchronization requirements
• Security patch requirements
e9
• Approved methods for accessing
Amazon data
m
Inquired of an AWS Senior Security
No deviations noted.
Engineer to ascertain Service link was
established between Outposts and an
kc
AWS Region by use of a secured VPN
connection over public internet or AWS
Direct Connect.
Inspected the Outposts configurations to
No deviations noted.
ascertain Service link was established
between Outpost and an AWS Region by
use of a secured VPN connection over
public internet or AWS Direct Connect.
Inspected dashboards of an active Outpost
No deviations noted.
to ascertain the health of the secure VPN
connection between Outpost and an AWS
region was tracked and monitored.
Inspected the monitoring configurations of
No deviations noted.
an active Outpost to ascertain alarming
around the secure VPN connection was
configured to notify service team
members in the case of network issues.
AWS Confidential
112
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

AWSCA-3.18: Anti-virus software is
installed, updated and running on
workstations.
g1
Inquired of an AWS Senior Security
No deviations noted.
Engineer to ascertain anti-virus software
was installed, updated, and running on

Rw
workstations.

Inspected the anti-virus configurations on

No deviations noted.
the administrator console for the imaging

ab
of workstations to ascertain the anti-virus
software was in place to monitor for
malicious code, was automatically

gv
updated with new release or virus
definitions and prevented end-users from
disabling the service.
e9
Inspected a workstation that had disabled
No deviations noted.
anti-virus software to ascertain that the
m

workstation was in process of being

isolated from the network.
kc

Inspected a workstation to ascertain anti-

No deviations noted.
virus software was installed, updated and
I6

running in accordance with the AWS

System and Information Integrity Policy.
EK

AWSCA-9.4: AWS host Inquired of a System Engineering Manager

No deviations noted.
configuration settings are and Software Development Manager to
monitored to validate compliance ascertain AWS host configuration settings
zz

with AWS security standards and were monitored to validate compliance

automatically pushed to the host with AWS security standards and that they
n-

fleet. were automatically pushed to the fleet.

Inspected the monitoring configurations

ke

No deviations noted.
to ascertain production hosts were
configured to monitor compliance with
AWS security standards and to
-to

automatically request and install host

configuration setting updates pushed to
the fleet.
mr
te

AWS Confidential
113
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 3: Logical Security

A7
Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict
unauthorized internal and external access to data and customer data is appropriately segregated from
other customers.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
Selected production hosts and inspected
No deviations noted.
the automated deployment logs to
ascertain production hosts automatically

Rw
requested and installed host configuration
setting updates pushed to the fleet.

For one incident ticket created for a failed

ab
No deviations noted.
deployment attempt for each host
deployment mechanism, inspected the
ticket details to ascertain the unsuccessful

gv
installation of host configuration settings
was identified, tracked and resolved in a
timely manner.
e9
m
kc
I6
EK
zz
n-
ke
-to
mr
te

AWS Confidential
114

Control Objective 4: Secure Data Handling
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.
Controls Specified by AWS
AWSCA-4.1: EC2-Specific – Upon
initial communication with an
AWS-provided Linux AMI, AWS
enables secure communication
by SSH configuration on the
instance, by generating a unique
host-key and delivering the
key’s fingerprint to the user
over a trusted channel.
EK
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of an EC2 Security Engineer to
g1
No deviations noted.
ascertain upon initial communication with
an AWS-provided Linux AMI, AWS enabled
a secure communication by SSH
Rw
configuration on the instance by
generating and delivering a unique host-
key fingerprint to the user over a trusted
ab
channel.
Launched a public Linux AMI EC2 instance
No deviations noted.
and inspected the EC2 console to ascertain
gv
the unique host-key fingerprint was
accessible from the system log.
e9
Using the launched public Linux AMI EC2
No deviations noted.
instance, connected to the instance via
SSH using the unique host-key fingerprint
m
and inspected the connection logs to
ascertain the unique host-key fingerprint
kc
was listed.
Launched a second public Linux AMI EC2
I6
No deviations noted.
instance and inspected the EC2 console
and instance connection logs to ascertain
the unique host-key fingerprint was
different from the first instance.
Using the second public Linux AMI EC2
No deviations noted.
instance, attempted to connect to the
instance via SSH using the first instance's
unique host-key fingerprint and observed
the attempt was rejected by the system,
to ascertain that connection to a Linux
AMI EC2 instance can only be performed
using the instance's unique host-key
fingerprint.
AWS Confidential
115

Control Objective 4: Secure Data Handling
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.
Controls Specified by AWS
AWSCA-4.2: EC2-Specific – Upon
initial communication with an
AWS-provided Windows AMI,
AWS enables secure
communication by configuring
Windows Terminal Services on
the instance by generating a
unique self-signed server
certificate and delivering the
certificate’s thumbprint to the
user over a trusted channel.
EK
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of an EC2 Security Engineer to
g1
No deviations noted.
ascertain upon initial communication with
an AWS-provided Windows AMI, AWS
enabled a secure communication by
Rw
configuring Windows Terminal Services on
the instance by generating a unique self-
signed server certificate and delivering the
ab
certificate’s thumbprint to the user over a
trusted channel.
Launched a public Windows AMI EC2
gv
No deviations noted.
instance and inspected the EC2 console
and the system log to ascertain the self-
signed server certificate was accessible.
e9
Using the launched public Windows AMI
No deviations noted.
EC2 instance, connected to the instance
m
using the unique self-signed server
certificate to ascertain the connection logs
kc
matched the unique self-signed server
certificate from the instance’s EC2 console
system log.
I6
Launched a second public Windows AMI
No deviations noted.
EC2 instance and inspected the EC2
console and instance connection logs to
ascertain the unique self-signed server
certificate was different than for the first
instance.
Using the second public Windows AMI EC2
No deviations noted.
instance, attempted to connect to the
instance using the first instance's unique
self-signed server certificate and observed
the attempt was rejected by the system,
to ascertain that connection to a Windows
AMI EC2 instance can only be performed
using the instance's unique self-signed
server certificate.
AWS Confidential
116

Control Objective 4: Secure Data Handling
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.
Controls Specified by AWS
AWSCA-4.3: VPC-Specific –
Amazon enables secure VPN
communication to a VPN
Gateway by providing a shared
secret key that is used to
establish IPSec Associations.
AWSCA-4.4: S3-Specific – S3
generates and stores a one-way
salted HMAC of the customer
encryption key. This salted
HMAC value is not logged.
I6
EK
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of a VPC Manager of Software
g1
No deviations noted.
Development to ascertain Amazon
enabled secure VPN communication to a
VPN Gateway through a secret key that
Rw
established IPSec Associations.
Observed a VPC Manager of Software
No deviations noted.
Development use the shared secret key to
ab
establish IPSec Associations to ascertain
the connection was successful.
gv
Observed the VPC Manager of Software
No deviations noted.
Development alter the shared secret key
to establish IPSec Security Associations to
e9
ascertain the connection was
unsuccessful.
m
Inquired of an S3 Software Development
No deviations noted.
Engineer to ascertain S3 generated and
kc
stored a one-way salted HMAC of the
customer encryption key, and that the
salted HMAC value was not logged.
Observed an S3 Software Development
No deviations noted.
Engineer upload an encrypted object to S3
and, inspected the metadata for the
stored object to ascertain the encryption
information included a one-way salted
HMAC of the customer encryption key.
Observed an S3 Software Development
No deviations noted.
Engineer upload an encrypted object to S3
and searched the S3 host logs for the one-
way salted HMAC value to ascertain it was
not logged.
AWS Confidential
117
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 4: Secure Data Handling

A7
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
Observed an S3 Software Development

g1
No deviations noted.
Engineer attempt to decrypt an object in
S3 with an incorrect encryption key to
ascertain the decrypt function failed and

Rw
the object was unreadable.

AWSCA-4.5: KMS-Specific – KMS Inquired of an AWS Cryptography

No deviations noted.
keys used for cryptographic Technical Program Manager to ascertain

ab
operations in KMS are logically no AWS employee could gain logical
secured so that no AWS access to the hardened security modules
employee can gain access to the where customer keys were used for

gv
key material. cryptographic operations.

Inspected the configurations for gaining

e9
No deviations noted.
logical access to the hardened security
module to ascertain KMS keys used for
cryptographic operations in KMS were
m

logically secured so that no AWS

employee could gain access to the key
kc

material.

Observed an AWS Cryptography Software

I6

No deviations noted.
Development Engineer attempt to gain
logical access to the hardened security
EK

module where customer keys were used

in memory to ascertain this was not
possible.
zz

Inspected the KMS key material access

No deviations noted.
configurations to ascertain no single AWS
n-

employee could modify rulesets, host or

operator membership to the domain of
the hardened security appliance.
ke

Observed an AWS Cryptography Software

No deviations noted.
-to

Development Engineer attempt to remove

a host or operator without meeting the
quorum rules to ascertain the actions
resulted in a quorum rule error.
mr
te

AWS Confidential
118

Control Objective 4: Secure Data Handling
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.
Controls Specified by AWS
AWSCA-4.6: KMS-Specific –
AWS Services that integrate
with AWS KMS for key
management use a 256-bit data
key locally to protect customer
content.
AWSCA-4.7: KMS-Specific – The
key provided by KMS to
integrated services is a 256-bit
key and is encrypted with a 256-
bit AES key unique to the
customer’s AWS account.
EK
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of Software Development
g1
No deviations noted.
Engineers to ascertain AWS Services which
integrate with AWS KMS for key
management used a 256-bit AES data key
Rw
locally to protect customer content.
Inspected the API call configurations of the
No deviations noted.
services which integrate with KMS for
ab
services that store customer content to
ascertain each service was configured to
send 256-bit AES key requests to KMS.
gv
Inquired of an AWS Cryptography
No deviations noted.
Technical Program Manager to ascertain
e9
keys provided by KMS to integrated
services were 256-bit AES keys and were
themselves encrypted by 256-bit AES keys
m
unique to each customer’s AWS account.
kc
Inspected the KMS key creation
No deviations noted.
configuration to ascertain KMS keys
created by KMS utilized the AES-256
I6
cryptographic algorithm.
Inspected the KMS encryption activity
No deviations noted.
configuration to ascertain 256-bit AES keys
were returned for 256-bit AES key
requests coming from the integrated KMS
services to encrypt customer data.
Observed an AWS Cryptography Software
No deviations noted.
Development Engineer create a resource
with content enabled for encryption using
KMS to ascertain a KMS key was used to
encrypt a 256-bit AES data key (which was
used to encrypt the content) as requested
from the service.
AWS Confidential
119
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 4: Secure Data Handling

A7
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
Observed an AWS Cryptography Software

g1
No deviations noted.
Development Engineer create a resource
with content enabled for encryption using
KMS and then attempt to access the data

Rw
without decrypting to ascertain it was
unreadable.

Observed an AWS Cryptography Software

ab
No deviations noted.
Development Engineer create a resource
with content enabled for encryption using
KMS and then attempt to decrypt the data

gv
using the required 256-bit AES data key to
ascertain the data was successfully
decrypted.
e9
Uploaded test data using a KMS-
No deviations noted.
integrated service encrypted with a data
m

key, encrypted by a KMS key relating to an

AWS account and attempted to perform
kc

the same activity, using another AWS

account, calling upon the same KMS key to
observe an upload failure occurred due to
I6

an authorization failure caused by a

mismatch between the owner of the KMS
EK

key and the AWS account.

AWSCA-4.8: KMS-Specific – Inquired of an AWS Cryptography

zz

No deviations noted.
Requests in KMS are logged in Technical Program Manager to ascertain
AWS CloudTrail. API calls made by the AWS services that
n-

integrate with KMS were captured when

the logging feature was enabled.
ke

Inspected the configuration for KMS

No deviations noted.
logging to ascertain requests in KMS were
designed to be logged in AWS CloudTrail.
-to
mr
te

AWS Confidential
120

Control Objective 4: Secure Data Handling
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.
Controls Specified by AWS
AWSCA-4.9: KMS-Specific – KMS
endpoints can only be accessed
by customers using TLS with
cipher suites that support
forward secrecy.
I6
EK
zz
n-
AWSCA-4.10: KMS-Specific –
Keys used in AWS KMS are only
ke
used for a single purpose as
defined by the key usage
parameter for each key.
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Enabled CloudTrail logging on a service
g1
No deviations noted.
that integrates with KMS, uploaded data
using a KMS key for encryption, and
downloaded the same file for decryption
Rw
and inspected the logs in AWS CloudTrail
to ascertain activity from both encryption
and decryption API calls was logged.
ab
Inquired of an AWS Cryptography
No deviations noted.
Technical Program Manager to ascertain
KMS endpoints could only be accessed
gv
using TLS with cipher suites to support
forward secrecy.
e9
Inspected the configuration for KMS TLS
No deviations noted.
communication to ascertain the cipher
suites listed supported forward secrecy.
m
Observed an AWS Cryptography Software
kc
No deviations noted.
Development Engineer attempt to connect
to a public KMS service endpoint using an
unsupported cipher suite to ascertain the
endpoints could not be accessed.
Observed an AWS Cryptography Software
No deviations noted.
Development Engineer attempt to connect
to a public KMS service endpoint using a
supported cipher suite supporting forward
secrecy to ascertain the endpoint
connection was successful.
Inquired of an AWS Cryptography
No deviations noted.
Technical Program Manager to ascertain
keys used in AWS KMS were only used for
a single purpose as defined by the key
usage parameter for each key.
AWS Confidential
121
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 4: Secure Data Handling

A7
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
Inspected the source code responsible for

g1
No deviations noted.
AWS KMS key usage, to ascertain the key
usage parameter was configured at the
key level and that key operations required

Rw
the use of keys designated by the system
for that operation.

Created an AWS KMS key and attempted

ab
No deviations noted.
to perform a key operation in alignment
with the key usage parameter to ascertain
the operation was performed in

gv
accordance with the set parameter.

Created an AWS KMS key and attempted

e9
No deviations noted.
to perform a key operation not in
alignment with the key usage parameter
to ascertain the operation resulted in a
m

key usage error.

kc

AWSCA-4.11: KMS-Specific – Inquired of an AWS Cryptography

No deviations noted.
KMS keys created by KMS are Technical Program Manager to ascertain
rotated on a defined frequency the KMS service included functionality for
I6

if enabled by the customer. KMS keys to be rotated on a defined

frequency, if enabled by the customer.
EK

Inspected the source code responsible for

No deviations noted.
KMS key rotation to ascertain that a new
backing key would be created in
zz

accordance with the customer defined

frequency, if enabled.
n-

Inspected the key rotation history after

No deviations noted.
ke

enabling on-demand key rotation for a

Customer Managed Key to ascertain that
the key was rotated immediately and the
-to

rotation event was logged.

mr
te

AWS Confidential
122

Control Objective 4: Secure Data Handling
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.
Controls Specified by AWS
AWSCA-4.12: KMS-Specific –
Recovery key materials used for
disaster recovery processes by
KMS are physically secured
offline so that no single AWS
employee can gain access to the
key material.
EK
AWSCA-4.13: KMS-Specific –
Access attempts to recovery key
materials are reviewed by
zz
authorized operators on a
cadence defined in team
n-
documentation.
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inspected a key rotation event log for an
g1
No deviations noted.
AWS internal key to ascertain the backing
key was rotated in accordance with the
defined frequency.
Rw
Inquired of an AWS Cryptography
No deviations noted.
Technical Program Manager to ascertain
recovery key materials used for disaster
ab
recovery processes by KMS were
physically secured offline so that no single
AWS employee could gain access to the
gv
key material.
Inspected the listing of employees with
e9
No deviations noted.
physical access to the recovery key
material resources used for disaster
recovery processes by KMS to ascertain
m
employees were appropriate based on
their job title and responsibilities.
kc
Inspected a physical access log of access
No deviations noted.
attempts to recovery key materials to
I6
ascertain no single AWS employee could
gain access by themselves.
Inquired of an AWS Cryptography
No deviations noted.
Technical Program Manager to ascertain
access attempts to recovery key materials
were reviewed by authorized operators on
a cadence defined in team
documentation.
Inspected the reviews of access attempts
No deviations noted.
or requests to recovery key materials to
ascertain reviews were performed and
documented by authorized operators on a
cadence defined in team documentation.
AWS Confidential
123

Control Objective 4: Secure Data Handling
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.
Controls Specified by AWS
AWSCA-4.14: KMS-Specific –
Each production firmware
version for the AWS Key
Management Service HSM
(Hardware Security Module) has
been certified with NIST under
the FIPS 140-2 level 3 standard
or is in the process of being
certified under FIPS 140-3 level
3.
AWSCA-4.15: CloudHSM-
Specific – Production HSM
devices are received in tamper
EK
evident authenticable bags.
Tamper evident authenticable
bag serial numbers and
zz
production HSM serial numbers
are verified against data
provided out-of-band by the
n-
manufacturer and logged into
tracking systems by approved
ke
individuals.
-to
m
r
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of an AWS Cryptography
g1
No deviations noted.
Technical Program Manager to ascertain
the production firmware version of the
AWS Key Management Service HSM was
Rw
certified with NIST under the FIPS 140-2
level 3 standard or is in the process of
being certified under the FIPS 140-3 level
ab
3 standard.
For all in scope regions, inspected the
No deviations noted.
firmware version running on production
gv
AWS Key Management Service HSM
devices to ascertain the production
firmware version of the AWS Key
e9
Management Service HSMs was certified
by NIST Cryptographic Module Validation
m
Program Certificate under the FIPS 140-2
level 3 standard or updated firmware was
in the process of being certified under the
kc
FIPS 140-3 level 3 standard.
Inquired of a CloudHSM Technical
I6
No deviations noted.
Program Manager to ascertain Production
HSM devices were received in tamper
evident authenticable bags and tamper
evident authenticable bag serial numbers
and production HSM serial numbers were
verified against data provided out-of-band
by the manufacturer and logged by
individuals approved for access to tracking
systems based on roles and
responsibilities in adherence with AWS
security and operational standards.
Inspected the configuration of the
No deviations noted.
automated verifications performed prior
to moving an HSM device to production to
ascertain HSM serial numbers were
verified against data provided out-of-band
before entering production.
AWS Confidential
124
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 4: Secure Data Handling

A7
Controls provide reasonable assurance that data handling between the customer’s point of initiation
to an AWS storage location is secured and mapped accurately.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
For one HSM device that failed validation,

g1
No deviations noted.
inspected the validations log to ascertain
that the HSM device was automatically
prohibited from entering production when

Rw
the HSM serial number could not be
verified against data provided out-of-band
by the manufacturer.

ab
For one production HSM device, inspected
No deviations noted.
the validations log to ascertain the HSM
device’s serial number was verified against

gv
data provided out-of-band before it
entered into production.
e9
m
kc
I6
EK
zz
n-
ke
-to
mr
te

AWS Confidential
125

Control Objective 5: Physical Security and Environmental Protection
Controls provide reasonable assurance that physical access to data centers is restricted to authorized
personnel and that mechanisms are in place to minimize the effect of a malfunction or physical
disaster to data center facilities.
Controls Specified by AWS
AWSCA-5.1: Physical access to
data centers is approved by an
authorized individual.
AWSCA-5.2: Physical access is
I6
revoked within 24 hours of the
employee or vendor record
EK
being deactivated.
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of an AWS Security Technical
No deviations noted.
Program Manager to ascertain physical
access to data centers was approved by an
Rw
authorized individual.
Inspected the configuration for executing
No deviations noted.
the physical access approval and
ab
provisioning within the data center access
management system to ascertain physical
access to data centers was designed to be
gv
granted after an approval by an
authorized individual.
e9
For one user provisioned data center
No deviations noted.
access during the period, inspected the
data center physical access provisioning
m
records to ascertain physical access was
granted after it was approved by an
kc
authorized individual.
Inquired of an AWS Security Technical
No deviations noted.
Program Manager to ascertain physical
access was automatically revoked within
24 hours of the employee or vendor
record being deactivated.
Inspected the system configurations
No deviations noted.
within the data center access
management system to ascertain physical
access was automatically revoked within
24 hours of the employee or vendor
record being deactivated in the HR
system.
AWS Confidential
126
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 5: Physical Security and Environmental Protection

A7
Controls provide reasonable assurance that physical access to data centers is restricted to authorized
personnel and that mechanisms are in place to minimize the effect of a malfunction or physical
disaster to data center facilities.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
For one terminated employee, inspected
No deviations noted.
the HR System record to ascertain physical
access was systematically revoked within

Rw
24 hours of the employee record being
deactivated in the HR system by the
access provisioning system.

AWSCA-5.3: Physical access to
data centers is reviewed on a
quarterly basis by appropriate
ab
Inquired of an AWS Security Technical
No deviations noted.
Program Manager to ascertain physical
access to data centers was reviewed on a

gv
personnel. quarterly basis by appropriate personnel.

Inspected the system configurations

e9
No deviations noted.
within the data center access
management system to ascertain access
marked for removal was automatically
m

removed once the review was marked

complete.
kc

For one user marked for removal during

No deviations noted.
the most recent quarterly physical access
I6

review, inspected the CloudWatch logs for

revocation activities to ascertain the user's
EK

access was appropriately removed from

the data center access management
system.
zz

For a sample of active users who had data

No deviations noted.
center access selected from a listing of in-
n-

scope active data center access levels

within the period, inspected the access
reviews to ascertain the reviews were
ke

performed quarterly and that access was

approved by appropriate personnel.
-to
mr
te

AWS Confidential
127

Control Objective 5: Physical Security and Environmental Protection
Controls provide reasonable assurance that physical access to data centers is restricted to authorized
personnel and that mechanisms are in place to minimize the effect of a malfunction or physical
disaster to data center facilities.
Controls Specified by AWS
AWSCA-5.4: Closed circuit
television cameras (CCTV) are
used to monitor server locations
in data centers. Images are
retained for 90 days, unless
limited by legal or contractual
obligations.
EK
AWSCA-5.5: Access to server
locations is managed by
zz
electronic access control
devices.
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of an AWS Security Technical
No deviations noted.
Program Manager and Data Center
Operations Managers to ascertain physical
Rw
access points to server locations were
monitored by a closed circuit television
camera (CCTV) and that images were
ab
retained for 90 days unless limited by legal
or contractual obligations.
For a sample of data centers selected from
gv
No deviations noted.
the asset management tool, observed the
CCTV footage or inspected screenshots of
CCTV footage of areas around access
e9
points to server locations, to ascertain
physical access points to server locations
m
were recorded.
For a sample of data centers selected from
kc
No deviations noted.
the asset management tool, inspected the
network video recorder configuration to
ascertain CCTV images to server locations
I6
were retained for 90 days, unless limited
by legal or contractual obligations.
Inquired of an AWS Security Technical
No deviations noted.
Program Manager and Data Center
Operations Managers to ascertain physical
access points to server locations were
managed by electronic access control
devices.
AWS Confidential
128

Control Objective 5: Physical Security and Environmental Protection
Controls provide reasonable assurance that physical access to data centers is restricted to authorized
personnel and that mechanisms are in place to minimize the effect of a malfunction or physical
disaster to data center facilities.
Controls Specified by AWS
AWSCA-5.6: Electronic intrusion
detection systems are installed
within data server locations to
monitor, detect, and
automatically alert appropriate
personnel of security incidents.
EK
zz
n-
ke
AWSCA-5.7: Amazon-owned
data centers are protected by
-to
fire detection and suppression
systems.
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
For a sample of data centers selected from
No deviations noted.
the asset management tool, observed
electronic access control devices at
Rw
physical access points to server locations
or inspected the physical security access
control configurations to ascertain
ab
electronic access control devices were
installed at physical access points to server
locations and that they required
gv
authorized Amazon badges with
corresponding PINs to enter server
locations.
e9
Inquired of an AWS Security Technical
No deviations noted.
Program Manager and Data Center
m
Operations Managers to ascertain
electronic intrusion detection systems
were installed and capable of detecting
kc
breaches into data center server locations.
For a sample of data centers selected from
I6
No deviations noted.
the asset management tool, observed on-
premise electronic intrusion detection
systems or inspected the physical security
access control configurations to ascertain
electronic intrusion detection systems
were installed, that they were capable of
detecting intrusion attempts, and that
they automatically alerted security
personnel of detected events for
investigation and resolution.
Inquired of Data Center Operations
No deviations noted.
Managers to ascertain Amazon-owned
data centers were protected by fire
detection and fire suppression systems.
AWS Confidential
129

Control Objective 5: Physical Security and Environmental Protection
Controls provide reasonable assurance that physical access to data centers is restricted to authorized
personnel and that mechanisms are in place to minimize the effect of a malfunction or physical
disaster to data center facilities.
Controls Specified by AWS
AWSCA-5.8: Amazon-owned
data centers are air conditioned
to maintain appropriate
atmospheric conditions.
Personnel and systems monitor
and control air temperature and
humidity at appropriate levels.
EK
zz
AWSCA-5.9: Uninterruptible
Power Supply (UPS) units
n-
provide backup power in the
event of an electrical failure in
Amazon-owned data centers
ke
and third-party colocation sites
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
For a sample of Amazon-owned data
No deviations noted.
centers selected from the asset
management tool, observed on-premise
Rw
fire detection systems to ascertain they
were located throughout the data centers.
For a sample of Amazon-owned data
ab
No deviations noted.
centers, observed on-premise fire
suppression devices to ascertain they
were located throughout the data centers.
gv
Inquired of Data Center Operations
No deviations noted.
Managers to ascertain Amazon-owned
e9
data centers were air conditioned to
maintain appropriate atmospheric
conditions and that the units were
m
monitored by personnel and systems to
control air temperature and humidity at
kc
appropriate levels.
For a sample of Amazon-owned data
I6
No deviations noted.
centers selected from the asset
management tool, observed on-premise
air-conditioning systems to ascertain they
monitored and controlled temperature
and humidity at appropriate levels.
Inquired of Data Center Operations
No deviations noted.
Managers to ascertain UPS units provided
backup power in the event of an electrical
failure in Amazon-owned data centers or
in colocation sites where Amazon
managed the UPS units.
AWS Confidential
130
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 5: Physical Security and Environmental Protection

A7
Controls provide reasonable assurance that physical access to data centers is restricted to authorized
personnel and that mechanisms are in place to minimize the effect of a malfunction or physical
disaster to data center facilities.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

where Amazon maintains the
UPS units.
g1
Inspected the system configuration
No deviations noted.
responsible for the automatic onboarding
and continuous monitoring of the health

Rw
of Amazon maintained UPS units to
ascertain that UPS units were being
monitored and would send an alert in the

ab
event of an electrical failure.

For one data center, inspected evidence

No deviations noted.
that UPS units were being monitored and

gv
would send an alert in the event of an
electrical failure.
e9
For a sample of data centers selected from
No deviations noted.
the asset management tool, observed on-
premise UPS equipment to ascertain UPS
m

units were configured to provide backup

power in the event of an electrical failure.
kc

AWSCA-5.10: Amazon-owned Inquired of Data Center Operations

No deviations noted.
data centers have generators to Managers to ascertain Amazon-owned
I6

provide backup power in case of data centers had generators to provide

electrical failure. backup power in case of utility power
EK

failure.

For a sample of Amazon-owned data

No deviations noted.
centers selected from the asset
zz

management tool, observed on-premise

generator equipment to ascertain
n-

generators were configured to provide

backup power in case of electrical failure.
ke
-to
mr
te

AWS Confidential
131

Control Objective 5: Physical Security and Environmental Protection
Controls provide reasonable assurance that physical access to data centers is restricted to authorized
personnel and that mechanisms are in place to minimize the effect of a malfunction or physical
disaster to data center facilities.
Controls Specified by AWS
AWSCA-5.11: Contracts are in
place with third-party colocation
service providers which include
provisions to provide fire
suppression systems, air
conditioning to maintain
appropriate atmospheric
conditions, Uninterruptible
Power Supply (UPS) units
(unless maintained by Amazon),
and redundant power supplies.
Contracts also include provisions
requiring communication of
incidents or events that impact
Amazon assets and/or
customers to AWS.
EK
AWSCA-5.12: AWS performs
zz
periodic reviews of colocation
service providers to validate
n-
adherence with AWS security
and operational standards.
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of AWS Legal Corporate Counsel
No deviations noted.
to ascertain contracts were in place at the
colocation service providers which
Rw
included provisions for fire suppression
systems, air conditioning, UPS units, and
redundant power supplies as well as
ab
provisions requiring communication of
incidents or events that impacted Amazon
assets or customers to AWS.
gv
For a sample of data centers managed by
No deviations noted.
colocation service providers selected from
e9
the asset management tool, inspected the
current contractual agreements between
service providers and AWS to ascertain
m
they included provisions for fire
suppression systems, air conditioning, UPS
kc
units, and redundant power supplies as
well as provisions requiring colocation
service providers to notify Amazon
I6
immediately of discovery of any
unauthorized use or disclosure of
confidential information or any other
breach.
Inquired of a Vendor Performance
No deviations noted.
Manager to ascertain periodic reviews
were performed for colocation vendor
relationships to validate adherence with
AWS security and operational standards.
AWS Confidential
132
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 5: Physical Security and Environmental Protection

A7
Controls provide reasonable assurance that physical access to data centers is restricted to authorized
personnel and that mechanisms are in place to minimize the effect of a malfunction or physical
disaster to data center facilities.

7
Controls Specified by AWS Tests Performed by EY Results of Tests

g1
For a sample of data centers managed by
No deviations noted.
colocation service providers selected from
the asset management tool, inspected the

Rw
corresponding vendor reviews to ascertain
they were performed in accordance with
the colocation business review schedule

ab
and included an evaluation of adherence
to AWS security and operational
standards.

AWSCA-5.13: All AWS
production media is securely
decommissioned and physically
destroyed, verified by two
personnel, prior to leaving AWS
Secure Zones.
gv
Inquired of Data Center Operations
No deviations noted.
Managers to ascertain AWS production
media was securely decommissioned and
e9
physically destroyed prior to leaving AWS
Secure Zones.
m
Inspected the AWS Media Destruction
No deviations noted.
Standard Operating Procedures document
kc

to ascertain that it included procedures

for data center personnel to securely
decommission production media prior to
I6

leaving AWS Secure Zones.

EK

For a sample of data centers selected from

No deviations noted.
the asset management tool, observed on-
premise security practices to ascertain
zz

production media was restricted to the

AWS Secure Zones, unless securely
decommissioned and physically destroyed.
n-

For a sample of data centers selected from

No deviations noted.
the asset management tool, observed on-
ke

premise equipment and media or

inspected media destruction logs for
-to

secure decommissioning and physical

destruction to ascertain production media
was securely decommissioned, physically
destroyed, and verified by two personnel
m

prior to leaving AWS Secure Zones.

r
te

AWS Confidential
133

Control Objective 6: Change Management
Controls provide reasonable assurance that changes (including emergency/non-routine and
configuration) to existing IT resources are logged, authorized, tested, approved and documented.
Controls Specified by AWS
AWSCA-6.1: AWS applies a
systematic approach to
managing change to ensure
changes to customer-impacting
aspects of a service are
reviewed, tested and approved.
Change management standards
are based on Amazon guidelines
and tailored to the specifics of
each AWS service.
AWSCA-6.2: Change details are
documented within one of
Amazon’s change management
EK
or deployment tools.
zz
n-
ke
-to
AWSCA-6.3: Changes are tested
according to service team
change management standards
prior to migration to production.
m
r
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of Software Development
No deviations noted.
Managers to ascertain customer-
impacting changes of service to the
Rw
production environment were reviewed,
tested, approved, and followed relevant
change management guidelines and that
ab
service-specific change management
processes were maintained, followed, and
communicated to the service teams.
gv
For a sample of services, inspected the
No deviations noted.
relevant change management guidelines
documents to ascertain they
e9
communicated specific guidance on
change management processes, including
m
initiation, testing and approval, and that
service team-specific steps were
documented and maintained by the
kc
teams.
Inquired of Software Development
I6
No deviations noted.
Managers to ascertain changes were
documented within one of Amazon's
change management or deployment tools.
For a sample of changes selected from a
No deviations noted.
system-generated listing of changes
deployed to production, inspected the
relevant documentation, to ascertain the
change details were documented within
one of Amazon's change management or
deployment tools and communicated to
service team management.
Inquired of Software Development
No deviations noted.
Managers to ascertain changes were
tested according to service team change
management standards prior to migration
to production.
AWS Confidential
134

Control Objective 6: Change Management
Controls provide reasonable assurance that changes (including emergency/non-routine and
configuration) to existing IT resources are logged, authorized, tested, approved and documented.
Controls Specified by AWS
AWSCA-6.4: AWS maintains
separate production and
development environments.
I6
EK
AWSCA-6.5: Changes are
zz
reviewed for business impact
and approved by authorized
n-
personnel prior to migration to
production according to service
team change management
ke
standards.
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
For a sample of changes selected from a
g1
No deviations noted.
system-generated listing of changes
migrated to production, inspected the
relevant documentation to ascertain
Rw
changes were tested according to service
team change management standards and
testing occurred in a development
ab
environment prior to migration to
production.
Inspected an AWS managed IAM policy to
gv
No deviations noted.
ascertain that policies managed by AWS
were tested prior to being moved to
production.
e9
Inquired of Software Development
No deviations noted.
Managers to ascertain AWS maintained
m
separate production and development
environments.
kc
For a sample of changes selected from a
No deviations noted.
system-generated listing of changes
deployed to production, inspected the
related deployment pipelines to ascertain
the production and development
environments were separate.
Inquired of Software Development
No deviations noted.
Managers to ascertain changes were
reviewed for business impact and
approved by authorized personnel prior to
migration to production according to
service team change management
standards.
AWS Confidential
135
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 6: Change Management

A7
Controls provide reasonable assurance that changes (including emergency/non-routine and
configuration) to existing IT resources are logged, authorized, tested, approved and documented.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
For a sample of changes selected from a

g1
No deviations noted.
system-generated listing of changes
migrated to production, inspected the
relevant documentation to ascertain

Rw
changes were reviewed and approved by
authorized personnel prior to migration to
production according to service team

ab
change management standards.

Inspected the configurations in-place for

No deviations noted.
publishing AWS managed IAM policies to

gv
ascertain that policies were designed to
require approvals prior to being moved to
production.
e9
Inspected an AWS managed IAM policy to
No deviations noted.
ascertain that policies managed by AWS
m

were approved prior to being moved to

production.
kc

AWSCA-6.6: AWS performs Inquired of Software Development

No deviations noted.
deployment validations and Managers to ascertain AWS performed
I6

change reviews to detect deployment validations and change

unauthorized changes to its reviews to detect changes that did not
EK

environment and tracks follow the change management process

identified issues to resolution. and that appropriate actions were taken
to track identified issues to resolution.
zz

For a sample of changes selected from a

No deviations noted.
system-generated listing of changes
n-

migrated to production inspected the

relevant documentation to ascertain AWS
performed deployment validations and
ke

change reviews to detect unauthorized

changes and that follow-up actions were
-to

taken as necessary to remediate any

issues identified.
mr
te

AWS Confidential
136
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 6: Change Management

A7
Controls provide reasonable assurance that changes (including emergency/non-routine and
configuration) to existing IT resources are logged, authorized, tested, approved and documented.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
For a sample of quarters, inspected the

g1
No deviations noted.
quarterly security business reviews and
the contents of the deployment violations
dashboard to ascertain unauthorized

Rw
changes were tracked to resolution by
AWS management.

ab
For a sample of months and services using
No deviations noted.
manual deployment monitoring, inspected
review documentation to ascertain that

gv
the related AWS service team generated a
listing of all changes deployed to
production during the month, assessed
e9
the changes for appropriateness, and
follow-up actions were taken as necessary
to remediate any issues identified.
m

For a sample of months and services using

No deviations noted.
manual deployment monitoring, inspected
kc

the contents of the deployment violation

dashboard to ascertain unauthorized
I6

changes were tracked to resolution by

AWS management.
EK

AWSCA-6.7: Customer Inquired of software development

No deviations noted.
information, including personal managers, to ascertain production data,
information, and customer including customer content and AWS
zz

content are not used in test and employee data, were not used in test or
development environments. development environments.
n-

Inspected the contents of the Secure

No deviations noted.
Software Development Policy intended for
ke

software development engineers and

software development managers
throughout AWS to ascertain it provided
-to

instructions to not use production data in

test or development environments.
mr
te

AWS Confidential
137

Control Objective 7: Data Integrity, Availability and Redundancy
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.
Controls Specified by AWS
AWSCA-7.1: S3-Specific – S3
compares user provided
checksums to validate the
integrity of data in transit. If the
customer provided MD5
checksum does not match the
MD5 checksum calculated by S3
on the data received, the REST
PUT will fail, preventing data
that was corrupted on the wire
from being written into S3.
EK
zz
AWSCA-7.2: S3-Specific – S3
n-
performs continuous integrity
checks of the data at rest.
Objects are continuously
ke
validated against their
checksums to prevent object
-to
corruption.
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
7
Tests Performed by EY Results of Tests
g1
Inquired of an S3 Software Development
No deviations noted.
Manager to ascertain S3 compared user
provided checksums to validate the
Rw
integrity of data in transit, and that the
customer provided MD5 checksum must
match the MD5 checksum calculated by S3
on the data received; otherwise the REST
ab
PUT request would fail, preventing
corrupted data from being written into S3.
gv
Inspected the MD5 checksum
No deviations noted.
configurations to ascertain S3 was
configured to continually compare the
e9
user provided checksums to validate the
integrity of data in transit.
m
Observed a Software Development
No deviations noted.
Engineer upload a file with an invalid MD5
kc
checksum, to ascertain the transfer was
aborted and an error message was
displayed.
I6
Observed a Software Development
No deviations noted.
Engineer upload a file with a valid MD5
checksum that matched the S3 calculated
checksum to ascertain the transfer was
completed successfully.
Inquired of an S3 Software Development
No deviations noted.
Engineer to ascertain S3 performed
continuous integrity checks of the data at
rest and that objects were automatically
validated against their checksums to
prevent object corruption.
AWS Confidential
138
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 7: Data Integrity, Availability and Redundancy

A7
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
Observed an S3 Software Development

g1
No deviations noted.
Engineer locate an object whose
checksum was not validated against its
object locator, to ascertain the object was

Rw
automatically detected by the S3 service
to prevent object corruption.

Inspected system log files for an object at

ab
No deviations noted.
rest to ascertain checksums were utilized
to assess the continuous integrity checks
of data.

gv
Inspected the S3 logs to ascertain S3 was
No deviations noted.
designed to automatically attempt to
e9
restore normal levels of object storage
redundancy when disk corruption or
device failure was detected.
m

AWSCA-7.3: S3-Specific – When Inquired of an S3 Software Development

kc

disk corruption or device failure
is detected, the system
automatically attempts to
No deviations noted.
Manager to ascertain when disk
corruption or device failure was detected,
the system automatically attempted to
I6

restore normal levels of object restore normal levels of object storage

storage redundancy. redundancy.
EK

Inspected the S3 logs to ascertain S3 was

No deviations noted.
designed to automatically attempt to
restore normal levels of object storage
zz

redundancy when disk corruption or

device failure was detected.
n-

Observed a Software Development

No deviations noted.
Engineer locate an object that was
ke

corrupted or suffered device failure to

ascertain the object was rewritten to a
known location, which restored normal
-to

levels of object storage redundancy.

mr
te

AWS Confidential
139

Control Objective 7: Data Integrity, Availability and Redundancy
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.
Controls Specified by AWS
AWSCA-7.4: S3-Specific –
Objects are stored redundantly
across multiple fault-isolated
facilities.
AWSCA-7.5: S3-Specific – The
design of systems is sufficiently
redundant to sustain the loss of
a data center facility without
interruption to the service.
EK
AWSCA-7.6: RDS-Specific – If
enabled by the customer, RDS
backs up customer databases,
stores backups for user-defined
zz
retention periods, and supports
point-in-time recovery.
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of an S3 Software Development
g1
No deviations noted.
Manager to ascertain objects were stored
redundantly across multiple fault-isolated
facilities.
Rw
Uploaded an object and observed a
No deviations noted.
Software Development Engineer access
the object location configuration to
ab
ascertain the object was stored
redundantly across multiple fault-isolated
facilities.
gv
Inquired of an S3 Software Development
No deviations noted.
Manager to ascertain systems were
e9
designed to sustain the loss of a data
center facility without interruption to the
service.
m
Inspected the system configuration
kc
No deviations noted.
utilized by S3 on stored objects to
ascertain critical services were designed to
sustain the loss of a facility without
I6
interruption to the service.
Inquired of an RDS Systems Engineer
No deviations noted.
Manager to ascertain, if enabled by the
customer, RDS backed up customer
databases, stored backups for user-
defined retention periods, and supported
point-in-time recovery.
Inspected the RDS backup configurations
No deviations noted.
to ascertain if enabled by the customer,
RDS backed up customer database and
stored backups for the user-defined
retention periods.
AWS Confidential
140
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 7: Data Integrity, Availability and Redundancy

A7
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
Created an RDS database, enabled

g1
No deviations noted.
backups and backed up the database to
ascertain RDS backed up customer
databases via scheduled backups

Rw
according to a user-defined retention
period.

Created an RDS database, captured a

ab
No deviations noted.
point in time database snapshot and
restored the RDS database using the
captured snapshot, to ascertain RDS

gv
databases were capable of a point-in-time
recovery using database snapshots.
e9
Restored an RDS database using a
No deviations noted.
database backup, to ascertain RDS
databases are capable of a point-in-time
m

recovery.
kc

AWSCA-7.7: AWS provides Inquired of Software Development

No deviations noted.
customers the ability to delete Managers to ascertain AWS provided
their content. Once successfully customers the ability to delete their
I6

removed the data is rendered content and render it unreadable.

unreadable.
EK

Observed an EC2 Security Manager create

No deviations noted.
a virtual host, upload content, delete the
underlying storage volume, then create a
different instance within the same virtual
zz

memory slot and query for the original

content to ascertain that the underlying
n-

storage volume and in memory data was

removed.
ke
-to
mr
te

AWS Confidential
141
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 7: Data Integrity, Availability and Redundancy

A7
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
For the services that provide content

g1
No deviations noted.
storage as described in the System
Description, inspected the configurations
designed to automatically delete content

Rw
from buckets, volumes, instances, or other
means of content storage, to ascertain it
was designed to delete and render the

ab
data unreadable.

For the services that provide content No deviations noted.

gv
storage as described in the System
Description, independently created an
AWS cloud account registered to an
e9
independent email address and created
sample content into buckets, volumes,
instances, or other means of content
m

storage, and compared the time stamp of

creation with the current date and time.
kc

Observed Software Development

Managers query for the objects to
ascertain the objects existed and were in
I6

an active state.
EK

For the core storage services that provide

No deviations noted.
content storage as described in the
System Description, created an AWS cloud
account registered to an independent
zz

email address and created sample content

into buckets, volumes, instances, or other
n-

means of content storage, and compared

the time stamp of creation with the
current date and time. Observed Software
ke

Development Managers query the

backend to ascertain the objects existed
and were in an active state.
-to
mr
te

AWS Confidential
142
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 7: Data Integrity, Availability and Redundancy

A7
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
For the services that provide content

g1
No deviations noted.
storage as described in the System
Description, deleted the content and/or
the underlying buckets, volumes,

Rw
instances, or other means of content
storage, and inspected if the data
identifiers were removed or the data itself

ab
was zeroed out after being deleted to
ascertain it was rendered unreadable.

For the core storage services that provide

gv
No deviations noted.
content storage as described in the
System Description, observed Software
Development Managers query for the
e9
objects metadata for the deleted objects
to ascertain that an error was returned
m
stating the object could not be found.

AWSCA-7.8: AWS retains Inquired of an AWS Security Assurance

kc

No deviations noted.
customer content per customer Technical Program Manager to ascertain
agreements. AWS retained customer content per the
customer agreements.
I6

Inspected the most recent copy of the

EK

No deviations noted.
AWS Customer Agreement to ascertain it
was communicated externally to
customers and contained an effective
zz

date, which was the most recent version

of the agreement.
n-

Inspected the AWS Customer Agreement

No deviations noted.
to ascertain the contractual language in
section 7.3b stated that AWS will not
ke

delete customer information for up to 30

days in the event of AWS account
-to

termination, and that the language

explicitly stated the customer agreed to
the responsibilities regarding confidential
information disposal.
mr
te

AWS Confidential
143
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 7: Data Integrity, Availability and Redundancy

A7
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
Inspected the customer account content

g1
No deviations noted.
retention configuration to ascertain a
centralized account service was designed
to send notifications to services to delete

Rw
customer content 90 days after account
closure.

Selected a service that stores customer

ab
No deviations noted.
content integrated with the centralized
account service, created a unit of content
storage, closed the AWS account and

gv
inspected the content throughout the 90-
day lifecycle to ascertain customer
content was retained until deleted 90 days
e9
after customer account closure.

For a sample service that stored customer

m

No deviations noted.
content for more than 30 days, created a
unit of content storage, closed the AWS
kc

account, reopened the AWS account 30

days after termination, and per
observation, ascertained content was
I6

retained.
EK

AWSCA-7.9: Outpost-Specific – Inquired of an AWS Senior Security

No deviations noted.
Nitro Security Key is configured Engineer to ascertain the Nitro Security
in Outpost to encrypt customer Key was configured in Outpost to encrypt
zz

content and allow a customer to customer content and allowed a customer

have a mechanical means to to have a mechanical means to perform
perform crypto shredding of the crypto shredding of the content.
n-

content.
Inspected the Outposts configurations to
No deviations noted.
ascertain the Outpost was configured to
ke

encrypt customer content with the Nitro

Security Key.
-to
mr
te

AWS Confidential
144
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 7: Data Integrity, Availability and Redundancy

A7
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
Inspected the Standard Operating

g1
No deviations noted.
Procedures for Outpost Retrieval
document to ascertain the Nitro Security
Key was mechanically destroyed at the

Rw
time of retrieval.

Inspected logs of an Outpost with a valid

No deviations noted.
Nitro Security Key to ascertain that it

ab
successfully encrypted the content on the
Outpost with a valid Nitro Security Key.

gv
Inspected logs of an Outpost without a
No deviations noted.
valid Nitro Security Key to ascertain that it
was not able to unencrypt the content on
e9
the Outpost without the valid Nitro
Security Key.
m

AWSCA-7.10: EC2- Specific - Inquired of an AWS Software

No deviations noted.
Amazon EC2 enables clock Development Engineer to ascertain
kc

synchronization based on Amazon EC2 enabled clock

Network Time Protocol in EC2 synchronization based on Network Time
Linux instances, to achieve Protocol in EC2 instances, to achieve
I6

accuracy within 1 millisecond of accuracy within 1 millisecond of

Coordinated Universal Time. Coordinated Universal Time.
EK

Inspected the clock synchronization

No deviations noted.
configurations to ascertain the different
infrastructure layers were linked to ensure
zz

clock synchronization.
n-

Observed an EC2 Software Development

No deviations noted.
Engineer create an EC2 instance and
enable clock synchronization to ascertain
ke

that clock synchronization achieved an

accuracy within 1 millisecond of
Coordinated Universal Time.
-to
mr
te

AWS Confidential
145
 Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests

Gw
Control Objective 7: Data Integrity, Availability and Redundancy

A7
Controls provide reasonable assurance that data integrity is maintained through all phases including
transmission, storage and processing.

Controls Specified by AWS Tests Performed by EY Results of Tests

7
For a sample of AWS Availability Zones

g1
No deviations noted.
(AZs) selected from a listing of AZs
generated from the AZ code repository,
inspected the AWS managed Grandmaster

Rw
clock devices to ascertain that the
Grandmaster devices were active and that
monitoring was enabled to ensure that an

ab
accuracy within 1 millisecond of
Coordinated Universal Time was achieved.

gv
e9
m
kc
I6
EK
zz
n-
ke
-to
mr
te

AWS Confidential
146

Control Objective 8: Incident Handling
Controls provide reasonable assurance that system incidents are recorded, analyzed and resolved.
Controls Specified by AWS
AWSCA-8.1: Monitoring and
alarming are configured by
Service Owners to identify and
notify operational and
management personnel of
incidents when early warning
thresholds are crossed on key
operational metrics.
AWSCA-8.2: Incidents are
logged within a ticketing system,
assigned a severity rating and
tracked to resolution.
EK
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of Software Development
g1
No deviations noted.
Managers to ascertain the production
environment was monitored and that
alarming was configured by Service
Rw
Owners to notify operational and
management personnel when early
warning thresholds were crossed on key
ab
operational metrics.
For a sample of key operational metrics
No deviations noted.
selected from a listing of critical alarms,
gv
inspected their configurations to ascertain
related monitoring and alarming were in
place to notify appropriate personnel
e9
when a threshold was reached or
exceeded.
m
Inquired of Software Development
No deviations noted.
Managers to ascertain incidents were
kc
logged in a ticketing system, assigned a
severity level, and tracked through
resolution.
I6
Inspected the network monitoring tool
No deviations noted.
configurations that automatically create
tickets for Network Monitoring incidents
to ascertain incidents were logged within a
ticketing system, assigned severity rating
and tracked to resolution.
For a sample of incidents selected from a
No deviations noted.
system generated listing of the key
operational metrics and security alerts,
inspected associated entries in the
ticketing system to ascertain incidents
were assigned a severity level and tracked
through to resolution.
AWS Confidential
147

Control Objective 9: Security
Controls provide reasonable assurance that Management’s oversight of the control environment,
which includes security and data protection of the system is established and maintained.
Controls Specified by AWS
AWSCA-1.7: The Board and its
Committees have the required
number of independent Board
members and each Board and
Committee member is qualified
to serve in such capacity.
Annually, Board members
complete questionnaires to
establish whether they are
independent and qualified to
serve on each Board Committee
under applicable rules.
AWSCA-1.8: The Board of
Directors conducts an annual
EK
assessment of individual Board
members and overall Board
performance. The Nominating
zz
and Corporate Governance
Committee periodically reviews
and assesses the composition of
n-
the board. The Leadership
Development and
ke
Compensation Committee, with
the full Board present, annually
evaluates the succession plan
-to
for each member of the senior
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of the Vice President of General
g1
No deviations noted.
Counsel to ascertain the board and its
committees had the required number of
independent Board members and each
Rw
Board and Committee member was
qualified to serve in such capacity.
Inspected Amazon’s Company Bylaws and
ab
No deviations noted.
the Company’s Corporate Governance
guidelines to ascertain they defined the
number and roles of officers on the Board
gv
of Directors and their responsibilities.
Inspected the annual Board member
e9
No deviations noted.
questionnaire to ascertain the
questionnaires were completed by all
Board members and included questions to
m
establish whether members were
independent and qualified to serve on
kc
each part of the Board Committee under
the applicable bylaws and guidelines.
I6
Inquired of the Vice President of General
No deviations noted.
Counsel to ascertain the Board of
Directors conducted an annual assessment
of individual Board members and overall
Board performance, the nominating and
Corporate Governance Committee
periodically reviewed and assessed the
composition of the Board, and the
Leadership Development and
Compensation Committee evaluated the
succession plan for each member of the
senior management team, including the
CEO.
AWS Confidential
148

Control Objective 9: Security
Controls provide reasonable assurance that Management’s oversight of the control environment,
which includes security and data protection of the system is established and maintained.
Controls Specified by AWS
management team. As part of
the annual Company and CEO
Performance review, the Board
reviews the succession plan for
the CEO.
AWSCA-9.1: AWS maintains
internal informational websites
describing the AWS
environment, its boundaries,
user responsibilities and
services.
EK
AWSCA-9.2: AWS conducts pre-
zz
employment screening of
candidates commensurate with
the employee’s position and
n-
level, in accordance with local
law and the AWS Personnel
ke
Security Policy.
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inspected the Nominating and Corporate
g1
No deviations noted.
Governance meeting minutes to ascertain
the annual assessment and review of the
composition of the Board of Directors was
Rw
discussed and completed.
Inspected the Board of Directors meeting
No deviations noted.
minutes to ascertain that the Board
ab
reviewed the succession plan for the CEO
and senior management team as part of
the annual Company and CEO
gv
performance review.
Inquired of the AWS Security Assurance
e9
No deviations noted.
Technical Program Manager to ascertain
AWS maintained internal informational
websites describing the AWS
m
environment, its boundaries, user
responsibilities, and the services.
kc
Inspected AWS internal informational
No deviations noted.
websites for each in-scope AWS service to
I6
ascertain they described the AWS
environment, its boundaries, user
responsibilities, and the services.
Inquired of the HR Compliance Manager
No deviations noted.
to ascertain AWS conducted pre-
employment screening of full-time
candidates prior to the employees’ start
dates in accordance with local laws.
For a sample of AWS full-time new hires
No deviations noted.
selected from a listing of active
employees, inspected pre-employment
screening records to ascertain pre-
employment screening was performed
prior to each employee’s start date.
AWS Confidential
149

Control Objective 9: Security
Controls provide reasonable assurance that Management’s oversight of the control environment,
which includes security and data protection of the system is established and maintained.
Controls Specified by AWS
AWSCA-9.3: AWS performs
annual formal evaluation of
resourcing and staffing including
assessment of employee
qualification alignment with
entity objectives. Employees
receive feedback on their
strengths and growth ideas
annually.
AWSCA-9.5: AWS provides
publicly available mechanisms
for customers to contact AWS to
report security events and
publishes information including
a system description and
security and compliance
EK
information addressing AWS
commitments and
responsibilities.
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of the Director of Talent
g1
No deviations noted.
Management to ascertain a process was in
place to perform a formal evaluation of
resourcing and staffing annually, including
Rw
an assessment of employee qualification
alignment with entity objectives and that
employees received feedback on their
ab
strengths and growth ideas.
For a sample of AWS employees selected
No deviations noted.
from an HR system-generated listing,
gv
inspected performance evaluation records
to ascertain each employee was formally
evaluated against entity objectives during
e9
the most recent annual formal evaluation
of resourcing and staffing.
m
Inquired of an AWS Security Assurance
No deviations noted.
Technical Program Manager to ascertain
kc
AWS provided publicly available
mechanisms for customers to contact
AWS to report security events and
I6
published information including a system
description and security and compliance
information addressing AWS
commitments and responsibilities.
Inspected AWS informational websites to
No deviations noted.
ascertain they provided publicly available
mechanisms for customers to contact
AWS to report security events.
Inspected the AWS whitepapers and
No deviations noted.
public websites to ascertain they provided
information including a system description
and security and compliance information
addressing AWS commitments and
responsibilities.
AWS Confidential
150

Control Objective 9: Security
Controls provide reasonable assurance that Management’s oversight of the control environment,
which includes security and data protection of the system is established and maintained.
Controls Specified by AWS
AWSCA-9.6: The Company
provides a hotline for
employees to anonymously
report on possible violations of
conduct.
AWSCA-9.7: Material violations
of the Company's Code of
EK
Business Conduct and Ethics and
similar policies are appropriately
handled in terms of
communication and possible
zz
disciplinary action or
termination. Violations involving
third parties or contractors are
n-
reported to their respective
employers which will carry out
ke
any possible disciplinary action,
removal of assignment with
Amazon, or termination.
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inspected a ticket resulting from a
g1
No deviations noted.
customer inquiry, to ascertain a process is
in place to address, track and resolve
customer inquiries in a timely manner.
Rw
Inquired of a Vice President of Litigation
No deviations noted.
Legal to ascertain the company provided a
hotline for employees to anonymously
ab
report on possible violations of conduct.
gv
Inspected the Owner’s Manual and Guide
No deviations noted.
to Employment policy to ascertain
employees were provided access to the
e9
ethics hotline in all geographies during
orientation.
m
Called the fraud hotline number to
No deviations noted.
ascertain it was available for employees to
kc
anonymously report on possible violations
of conduct.
I6
Inquired of a Director of Human Resources
No deviations noted.
to ascertain material violations of the
Company’s Code of Business Conduct and
Ethics and similar policies were
appropriately handled in terms of
communications and possible disciplinary
action or termination, and violations
involving third parties or contractors were
reported to their respective employers
which were responsible for any possible
disciplinary action, removal of assignment
with Amazon, or termination.
AWS Confidential
151

Control Objective 9: Security
Controls provide reasonable assurance that Management’s oversight of the control environment,
which includes security and data protection of the system is established and maintained.
Controls Specified by AWS
AWSCA-9.8: AWS has
established a formal audit
program that includes continual,
independent internal and
external assessments to validate
the implementation and
EK
operating effectiveness of the
AWS control environment.
zz
n-
ke
-to
m
r
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inspected the Code of Business Conduct
g1
No deviations noted.
and Ethics policy to ascertain that
employee expectations were published on
the intranet for employees to review and
Rw
consequences for certain violations were
documented within the policy.
Inspected the Human Resources team
ab
No deviations noted.
investigation process wiki and Enterprise
Case Management system to ascertain
they detailed standard operating
gv
procedures for the handling of a potential
material violation of the Company’s Code
of Business Conduct Ethics for both
e9
employee’s and vendors, including the
handling of communication and possible
m
disciplinary action.
Inquired of a Business Risk Management
kc
No deviations noted.
Director to ascertain AWS had established
a formal audit program that included
continual, independent internal and
I6
external assessments to validate the
implementation and operating
effectiveness of the AWS control
environment.
Inspected the audit framework and list of
No deviations noted.
interviewees to ascertain AWS functional
areas, including AWS Security and AWS
Service teams, were covered within the
Internal Audit Risk assessment creation.
Inspected the yearly audit plan created by
No deviations noted.
Internal Audit and submitted to the Audit
Committee to ascertain Internal Audit
formalized and outlined their specific
audit plan as a response of the risk
assessment conducted, and that the audit
plan contained the AWS organization.
AWS Confidential
152

Control Objective 9: Security
Controls provide reasonable assurance that Management’s oversight of the control environment,
which includes security and data protection of the system is established and maintained.
Controls Specified by AWS
AWSCA-9.9: AWS has a process
to assess whether AWS
employees who have access to
resources that store or process
customer data via permission
groups are subject to a post-hire
background check as applicable
with local law. AWS employees
who have access to resources
that store or process customer
data will have a background
check in accordance to the AWS
Personnel Security Policy.
EK
zz
n-
ke
-to
mr
te
Section IV – Description of Control Objectives, Controls,
Tests, and Results of Tests
Gw
A7
Tests Performed by EY Results of Tests
7
Inquired of a Security Assurance Program
g1
No deviations noted.
Manager to ascertain employees with
access to resources that store or process
customer data via permission groups
Rw
received a background check, as
applicable with local law, no less than
once per calendar year.
ab
For a sample of AWS employees selected
No deviations noted.
from a system generated listing of
accounts that have access to resources
gv
that store or process customer data,
inspected their background check status
to ascertain background checks were
e9
completed once per calendar year or
access to resources that stored or
m
processed customer data was removed as
appropriate.
kc
I6
AWS Confidential
153
 Gw
7 A7
g1
Rw
ab
gv
e9
SECTION V – Other Information Provided By Amazon Web Services
m
kc
I6
EK
zz
n-
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
154
 Section V – Other Information Provided by Amazon Web Services

Gw
Business Continuity Management

A7
Amazon’s infrastructure provides customers the features to deploy a resilient IT architecture. AWS has
designed its systems to adapt system or hardware failures with minimal customer impact. The Data Center
Resiliency Program at AWS is under the direction of the Amazon Infrastructure Group.

7
AWS Availability Model:

g1
The AWS availability model offers redundancy and resiliency and is different to a traditional model
involving backup tapes, offsite data storage, and alternate processing facilities. The AWS network is built

Rw
to provide highly available computing and data storage and architected for redundancy to minimize the
impact of outages.

AWS resiliency encompasses the processes and procedures to identify, respond to, and recover from a

ab
major event or incident within our environment. The AWS program builds upon a traditional approach to
contingency management, which incorporates elements of business continuity and disaster recovery
plans, and expands this to consider critical elements of proactive risk mitigation strategies such as

gv
engineering physically separate Availability Zones (AZs) within an AWS Region and conducting continuous
infrastructure capacity planning.
e9
Each AWS Region is a geographic area made up of multiple physically separated locations known as AZs.
Each AZ contains at least one data center. Within the United States, each Region has at least 3 AZs, with
m
more in certain Regions based on the volume of customer traffic to the Region. The presence of multiple
AZs allows us to maintain redundant power, mechanical, networking, and connectivity across each Region.
kc

AWS strives for redundancy that allows for concurrent maintainability. In this model, we maintain enough
redundant capacity that we can perform maintenance on a critical system or component within a data
I6

center (such as a generator or Uninterrupted Power Supply) without impacting service availability.

AZs within a Region are connected with low latency, high throughput, and highly redundant networking.
EK

AZs are also sited at calculated geographic distances from one another. Placing the AZs in relative
proximity to one another drives low latency data replication, while physical separation drives continuous
service availability in the event of major geographic incidents (for example, floods or earthquakes).
zz

AWS Services are configured to run independently across AZs. If a single event impacts the connectivity
or accessibility of one AZ, service operation within other AZs remains unaffected. The architecture of AWS
n-

data centers across AZs redirects traffic away from the affected area, providing an additional layer of
protection against failures such as power outages.
ke

AWS services are designed to utilize available storage and compute capacity as new resources are added
to AWS. The AWS recovery model is aligned with normal daily operations to continually add new capacity
-to

to address demand.

AWS Local Zones are a type of AWS infrastructure deployment managed and supported by AWS that
m

places AWS compute, storage, database and other select services closer to large population, industry, IT
centers or customers where no AWS Region currently exists today. With AWS Local Zones, customers can
r
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
155
 Section V – Other Information Provided by Amazon Web Services

Gw
easily run latency-sensitive portions of applications local to end-users and resources in a specific
geography, delivering single-digit millisecond latency for use cases. Dedicated Local Zones are deployed

A7
on-premises, delivered in accordance with a customer specific contract, and dedicated to that customer,
that meets AWS established physical security requirements.

7
AWS offers Wavelength infrastructure in partnership with Telco providers, which is optimized for mobile
edge computing applications. Wavelength Zones are AWS infrastructure deployments that embed AWS

g1
compute and storage services within communications service providers’ (CSP or telecom providers) data
centers at the edge of the 5G network, so application traffic from 5G devices can reach application servers
running in Wavelength Zones without leaving the telecommunications network. This avoids the latency

Rw
that would result from application traffic having to traverse multiple hops across the Internet to reach
their destination, enabling customers to take full advantage of the latency and bandwidth benefits offered
by modern 5G networks.

ab
SOC Controls Adjustment Overview

gv
The section below provides an overview of the key changes to SOC controls that occurred during the
Summer 2024 (07/01/2023 - 06/30/2024) reporting period from previous reports.
e9
Section I: Modifications to existing controls
m

OLD – Fall 2023 NEW – Winter 2023

kc

AWSCA-4.14: KMS-Specific -The production AWSCA-4.14: KMS-Specific- Each production

firmware version for the AWS Key Management firmware version for the AWS Key Management
I6

Service HSM (Hardware Security Module) has Service HSM (Hardware Security Module) has
been validated with NIST under the FIPS 140-2 been certified with NIST under the FIPS 140-2
EK

standard or is in the process of being validated. level 3 standard or is in the process of being
certified under FIPS 140-3 level 3.

Rationale: In an effort of continuous improvement, AWS updates the report to reflect its most current
zz

process documentation. The previous control language has been updated to additionally address the
submission of HSMs for validation under FIPS 140-3. No significant change to the control design and
n-

operation.
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
156
 Gw
A7
7
g1
Rw
ab
gv
e9
m

APPENDIX – Glossary of Terms

kc
I6
EK
zz
n-
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
157
 Appendix – Glossary of Terms

Gw
Appendix – Glossary of Terms

A7
AMI: An Amazon Machine Image (AMI) is an encrypted machine image stored in Amazon S3. It contains
all the information necessary to boot instances of a customer’s software.
API: Application Programming Interface (API) is an interface in computer science that defines the ways by

7
which an application program may request services from libraries and/or operating systems.

g1
Authentication: Authentication is the process of determining whether someone or something is, in fact,
who or what it is declared to be.
Availability Zone: Amazon EC2 locations are composed of regions and Availability Zones. Availability

Rw
Zones are distinct locations that are engineered to be insulated from failures in other Availability Zones
and provide inexpensive, low latency network connectivity to other Availability Zones in the same region.
Bucket: A container for objects stored in Amazon S3. Every object is contained within a bucket. More

ab
information can be found in https://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html
#BasicsBucket
Customer Content: Defined as “Your Content” in https://aws.amazon.com/agreement/

gv
HMAC: In cryptography, a keyed-Hash Message Authentication Code (HMAC or KHMAC), is a type of
message authentication code (MAC) calculated using a specific algorithm involving a cryptographic hash
e9
function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both
the data integrity and the authenticity of a message. Any iterative cryptographic hash function, such as
MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-
m

MD5 or HMAC-SHA1, accordingly. The cryptographic strength of the HMAC depends upon the
cryptographic strength of the underlying hash function, on the size and quality of the key and the size of
kc

the hash output length in bits.

Hypervisor: A hypervisor, also called Virtual Machine Monitor (VMM), is computer software/hardware
virtualization software that allows multiple operating systems to run on a host computer concurrently.
I6

IP Address: An Internet Protocol (IP) address is a numerical label that is assigned to devices participating
EK

in a computer network utilizing the Internet Protocol for communication between its nodes.
IP Spoofing: Creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing,
with the purpose of concealing the identity of the sender or impersonating another computing system.
zz

MD5 checksums: In cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash
function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide
n-

variety of security applications and is also commonly used to check the integrity of files.
Object: The fundamental entities stored in Amazon S3. Objects consist of object data and metadata. The
ke

data portion is opaque to Amazon S3. The metadata is a set of name-value pairs that describe the object.
These include some default metadata such as the date last modified and standard HTTP metadata such
as Content-Type. The developer can also specify custom metadata at the time the Object is stored.
-to

Port Scanning: A port scan is a series of messages sent by someone attempting to break into a computer
to learn which computer network services, each associated with a “well-known” port number, the
computer provides.
m

User entity: The entities that use the services of a service organization during some or all of the review
period.
r
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
158
 Appendix – Glossary of Terms

Gw
Service: Software or computing ability provided across a network (e.g., Amazon EC2, Amazon S3).
Service Organization: An organization or segment of an organization that provides services to user entities

A7
that are likely to be relevant to those user entities’ internal control over financial reporting.
Signature Version 4: Signature Version 4 is the process to add authentication information to AWS

7
requests. For security, most requests to AWS must be signed with an access key, which consists of an
access key ID and secret access key.

g1
Subservice Organization: A service organization used by another service organization to perform some of
the services provided to user entities that are likely to be relevant to those user entities’ internal control

Rw
over financial reporting.
Virtual Instance: Once an AMI has been launched, the resulting running system is referred to as a virtual
instance. All instances based on the same AMI start out identical and any information on them is lost when
the instances are terminated or fail.

ab
X.509: In cryptography, X.509 is an ITU-T standard for a Public Key Infrastructure (PKI) for Single Sign-On
(SSO) and Privilege Management Infrastructure (PMI). X.509 specifies, among other things, standard

gv
formats for public key certificates, certificate revocation lists, attribute certificates and a certification path
validation algorithm. e9
m
kc
I6
EK
zz
n-
ke
-to
mr
te

Proprietary and Confidential Information - Trade Secret

©2024 Amazon.com, Inc. or its affiliates
159