Risk and Compliance

AWS Risk and Compliance – Whitepaper – Certification

~ Last updated on : ~ jayendrapatil ~ 2 Comments

AWS Risk and Compliance Whitepaper Overview

⚠️ Note: The original AWS Risk and Compliance Whitepaper (last updated March 2021) is now marked as “for historical reference only” by AWS. However, the core concepts of Shared Responsibility, Risk Governance, and Compliance Programs remain fully applicable. This post has been updated to reflect current AWS compliance practices, tools, and programs as of 2025.

  • AWS Risk and Compliance Whitepaper is intended to provide information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment.
  • AWS does communicate its security and control environment relevant to customers. AWS does this by doing the following:
    • Obtaining industry certifications and independent third-party attestations described in this document
    • Publishing information about the AWS security and control practices in whitepapers and web site content
    • Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required)
    • Providing on-demand access to compliance reports through AWS Artifact — a self-service portal in the AWS Management Console

Shared Responsibility Model

  • AWS’ part in the shared responsibility includes
    • providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use
    • relieves the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates
    • Security “of” the Cloud — AWS is responsible for protecting the infrastructure that runs all services offered in the AWS Cloud, including hardware, software, networking, and facilities
  • Customers’ responsibility includes
    • configuring their IT environments in a secure and controlled manner for their purposes
    • Security “in” the Cloud — responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall
    • stringent compliance requirements by leveraging technology such as host based firewalls, host based intrusion detection/prevention, encryption and key management
    • relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the AWS environment
  • The Shared Responsibility Model also extends to IT controls — management, operation, and verification of IT controls is a shared responsibility
  • Responsibility varies depending on the services used:
    • Infrastructure Services (e.g., EC2) — Customer manages OS, firewall, network configuration, identity management
    • Container Services (e.g., RDS, ECS) — AWS manages OS and platform; customer manages network access, firewall rules, identity
    • Abstract Services (e.g., S3, DynamoDB, Lambda) — AWS manages platform, OS, server, networking; customer manages data, client-side encryption, access policies

Risk and Compliance Governance

  • AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, and other third-party attestations
  • AWS customers are required to continue to maintain adequate governance over the entire IT control environment regardless of how IT is deployed.
  • Leading practices include
    • an understanding of required compliance objectives and requirements (from relevant sources),
    • establishment of a control environment that meets those objectives and requirements,
    • an understanding of the validation required based on the organization’s risk tolerance,
    • and verification of the operating effectiveness of their control environment.
  • Strong customer compliance and governance might include the following basic approach:
    • Review information available from AWS together with other information to understand as much of the entire IT environment as possible, and then document all compliance requirements.
    • Design and implement control objectives to meet the enterprise compliance requirements.
    • Identify and document controls owned by outside parties.
    • Verify that all control objectives are met and all key controls are designed and operating effectively.
  • Approaching compliance governance in this manner helps companies gain a better understanding of their control environment and will help clearly delineate the verification activities to be performed.

AWS Compliance Programs, Certifications, and Third-Party Attestations

  • AWS engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by AWS.
  • AWS provides third-party attestations, certifications, Service Organization Controls (SOC) reports and other relevant compliance reports directly to customers through AWS Artifact.
  • Key Compliance Programs include:
    • SOC 1, 2, and 3 Reports — Covers 188 services (as of Spring 2026), available in machine-readable OSCAL format
    • PCI DSS — Updated to PCI DSS v4.0; accessible through AWS Artifact
    • ISO Certifications — ISO 27001, 27017, 27018, 27701, 22301, 9001, and CSA STAR CCM v4
    • FedRAMP — Federal Risk and Authorization Management Program (Moderate and High baselines)
    • HIPAA — Healthcare compliance through Business Associate Addendum (BAA)
    • C5 — Cloud Computing Compliance Criteria Catalogue (183 services in scope)
    • NIST SP 800-53 — National Institute of Standards and Technology framework
    • NIST CSF 2.0 — Updated whitepaper aligning AWS services to the six Core Functions (Govern, Identify, Protect, Detect, Respond, Recover)
    • NIST SP 800-171 Rev. 2 — Protecting Controlled Unclassified Information (CUI)

AWS Compliance Tools and Services

  • AWS Artifact
    • Self-service portal providing on-demand access to AWS compliance reports
    • Download SOC reports, PCI DSS certifications, ISO certificates, and other attestations
    • Access previous versions of compliance reports without contacting AWS Support
    • Accept and manage agreements (e.g., BAA for HIPAA) on behalf of your account or organization
  • AWS Audit Manager
    • Continuously audit AWS usage to simplify risk and compliance assessment
    • Automates evidence collection mapped to specific compliance controls
    • Prebuilt frameworks for SOC 2, PCI DSS, GDPR, HIPAA, NIST, CIS, and more
    • Common control library with predefined and pre-mapped AWS data sources
    • Custom frameworks and controls creation capability
  • AWS Security Hub
    • Cloud Security Posture Management (CSPM) with automated security checks
    • Supported standards: AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS
    • Security scores for each enabled standard
    • Central configuration for multi-account deployments
  • AWS Control Tower
    • Governance and compliance controls for multi-account AWS environments
    • Supports frameworks: CIS v8.0, FedRAMP r4, ISO 27001:2013, NIST CSF v1.1, NIST SP 800-171 r2, PCI DSS v4.0, SOC 2
    • Guardrails (preventive, detective, proactive) for compliance enforcement

Key Risk and Compliance Questions

  • Shared Responsibility
    • AWS controls the physical components of that technology.
    • Customer owns and controls everything else, including control over connection points and transmissions
  • Auditing IT
    • Auditing for most layers and controls above the physical controls remains the responsibility of the customer
    • AWS ISO 27001 and other certifications are available for auditors review
    • AWS-defined logical and physical controls is documented in the SOC 1 Type II report and available for review by audit and compliance teams
    • AWS Audit Manager automates evidence collection and maps it to compliance controls for streamlined audit preparation
  • Data location
    • AWS customers control which physical region their data and their servers will be located
    • AWS replicates the data only within the region
    • AWS will not move customers’ content from the selected Regions without notifying the customer, unless required to comply with the law or requests of governmental entities
    • Data Sovereignty Options: AWS Dedicated Local Zones, AWS Outposts, and Local Zones provide additional data residency controls for regulated workloads
  • Data center tours
    • As AWS host multiple customers, AWS does not allow data center tours by customers, as this exposes a wide range of customers to physical access of a third party.
    • An independent and competent auditor validates the presence and operation of controls as part of our SOC 1 Type II report.
    • This third-party validation provides customers with the independent perspective of the effectiveness of controls in place.
    • AWS customers can access SOC reports and other attestations directly through AWS Artifact without signing a separate NDA.
  • Third-party access
    • AWS strictly controls access to data centers, even for internal employees.
    • Third parties are not provided access to AWS data centers except when explicitly approved by the appropriate AWS data center manager per the AWS access policy
  • Multi-tenancy
    • AWS environment is a virtualized, multi-tenant environment.
    • AWS has implemented security management processes, PCI controls, and other security controls designed to isolate each customer from other customers.
    • AWS systems are designed to prevent customers from accessing physical hosts or instances not assigned to them by filtering through the virtualization software.
  • Hypervisor
    • Amazon EC2 utilized a highly customized version of Xen hypervisor.
    • Update (2025): Modern EC2 instance types (C5, M5, and newer) use the AWS Nitro System, which replaces the traditional Xen hypervisor with purpose-built hardware and a lightweight hypervisor. Legacy instance types (T2, M3, C3) still use Xen.
    • The Nitro System provides stronger security isolation through dedicated hardware for networking, storage, and security functions, reducing the attack surface
    • The Nitro hypervisor is a minimal, firmware-level component that provides memory and CPU isolation but has no network access, no persistent storage, and no interactive login
  • Vulnerability management
    • AWS is responsible for patching systems supporting the delivery of service to customers, such as the hypervisor and networking services
  • Encryption
    • AWS allows customers to use their own encryption mechanisms for nearly all the services, including S3, EBS, and EC2.
    • IPSec tunnels to VPC are also encrypted
    • AWS Key Management Service (KMS) provides centralized key management with FIPS 140-3 Security Level 3 validated hardware security modules (HSMs)
    • AWS KMS supports post-quantum cryptography (ML-KEM for key agreement, ML-DSA for digital signatures) for future-proof encryption
    • AWS CloudHSM provides dedicated FIPS 140-3 validated hardware security modules for customers needing full control over keys
    • Most AWS services now offer encryption at rest by default using AWS-owned or customer-managed KMS keys
  • Data isolation
    • All data stored by AWS on behalf of customers has strong tenant isolation security and control capabilities
  • Composite services
    • AWS does not leverage any third-party cloud providers to deliver AWS services to customers.
  • Distributed Denial Of Service (DDoS) attacks
    • AWS network provides significant protection against traditional network security issues and the customer can implement further protection
    • AWS Shield Standard — Free, automatic protection against common Layer 3/4 DDoS attacks for all AWS customers
    • AWS Shield Advanced — Managed DDoS protection with 24/7 access to AWS Shield Response Team (SRT), DDoS cost protection, and automatic application layer (L7) DDoS mitigation
  • Data portability
    • AWS allows customers to move data as needed on and off AWS storage
  • Service & Customer provider business continuity
    • AWS does operate a business continuity program
    • AWS data centers incorporate physical protection against environmental risks.
    • AWS’ physical protection against environmental risks has been validated by an independent auditor and has been certified
    • AWS provides customers with the capability to implement a robust continuity plan with multi region/AZ deployment architectures, backups, data redundancy replication
  • Capability to scale
    • AWS cloud is distributed, highly secure and resilient, giving customers massive scale potential.
    • Customers may scale up or down, paying for only what they use
  • Service availability
    • AWS does commit to high levels of availability in its service level agreements (SLA) for e.g. S3 99.99% availability
  • Application Security
    • AWS system development lifecycle incorporates industry best practices which include formal design reviews by the AWS Security Team, source code analysis, threat modeling and completion of a risk assessment
    • AWS does not generally outsource development of software.
  • Threat and Vulnerability Management
    • AWS Security regularly engages independent security firms to perform external vulnerability threat assessments
    • AWS Security regularly scans all Internet facing service endpoint IP addresses for vulnerabilities, but do not include customer instances
    • AWS Security notifies the appropriate parties to remediate any identified vulnerabilities.
    • Updated Penetration Testing Policy: AWS no longer requires advance approval for penetration testing against customer-owned resources for the following services: EC2, NAT Gateways, Elastic Load Balancers, RDS, CloudFront, Aurora, API Gateway, Lambda, Lambda@Edge, Lightsail, and Elastic Beanstalk
    • Prohibited Activities still include: DNS zone walking, DoS/DDoS attacks, port flooding, protocol flooding, and request flooding (unless using approved AWS services like Shield Advanced testing)
  • Data Security
    • Customers retain full ownership and control of their data
    • AWS provides multiple encryption options for data at rest and data in transit
    • AWS KMS provides centralized key management with audit trails via AWS CloudTrail

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. When preparing for a compliance assessment of your system built inside of AWS. What are three best practices for you to prepare for an audit? Choose 3 answers
    1. Gather evidence of your IT operational controls (Customer still needs to gather all the IT operation controls inline with their environment)
    2. Request and obtain applicable third-party audited AWS compliance reports and certifications (Customers can request the reports and certifications produced by our third-party auditors or can request more information about AWS Compliance via AWS Artifact)
    3. Request and obtain a compliance and security tour of an AWS data center for a pre-assessment security review (AWS does not allow data center tour)
    4. Request and obtain approval from AWS to perform relevant network scans and in-depth penetration tests of your system’s Instances and endpoints (Note: AWS no longer requires prior approval for pen testing on permitted services (EC2, RDS, CloudFront, etc.), but the answer remains valid in exam context as it was the original requirement)
    5. Schedule meetings with AWS’s third-party auditors to provide evidence of AWS compliance that maps to your control objectives (Customers can request the reports and certifications produced by our third-party auditors or can request more information about AWS Compliance)
  2. In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
    1. Penetration testing
    2. Operating system account security management
    3. Threat modeling
    4. User group access management
    5. Static code analysis
  3. You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
    1. Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access (Customer owned)
    2. Protect against IP spoofing or packet sniffing
    3. Assure all communication between EC2 instances and ELB is encrypted (Customer owned)
    4. Install latest security patches on ELB, RDS and EC2 instances (Customer owned for EC2 instances; AWS owned for ELB and RDS infrastructure)
  4. Which of the following statements is true about achieving PCI certification on the AWS platform? (Choose 2)
    1. Your organization owns the compliance initiatives related to anything placed on the AWS infrastructure
    2. Amazon EC2 instances must run on a single-tenancy environment (dedicated instance)
    3. AWS manages card-holder environments
    4. AWS Compliance provides assurance related to the underlying infrastructure
  5. A company needs to continuously audit its AWS usage to ensure compliance with internal policies and regulatory standards. Which AWS service should they use?
    1. AWS Config
    2. AWS Audit Manager (AWS Audit Manager continuously audits AWS usage and automates evidence collection for compliance assessments)
    3. AWS CloudTrail
    4. Amazon Inspector
  6. Which AWS service provides a centralized view of security alerts and compliance status across multiple AWS accounts?
    1. Amazon GuardDuty
    2. AWS Config
    3. AWS Security Hub (Security Hub provides centralized security posture management with automated compliance checks against standards like CIS, NIST, and PCI DSS)
    4. AWS CloudTrail
  7. A company needs to download AWS SOC 2 and PCI DSS compliance reports for their auditors. Which AWS service provides on-demand access to these reports?
    1. AWS Config
    2. AWS Security Hub
    3. AWS Trusted Advisor
    4. AWS Artifact (AWS Artifact is the self-service portal for on-demand access to AWS compliance reports, certifications, and agreements)
  8. Under the AWS Shared Responsibility Model, which of the following is the customer’s responsibility for Amazon RDS? (Choose 2)
    1. Patching the database engine
    2. Managing database users and permissions
    3. Replacing failed hardware
    4. Configuring security groups to control network access
    5. OS-level patching of the underlying instance

References