Cloud Vendor Compliance

Amazon Web Services maintains a wide selection of compliance and security options that address both domestic and global regulations. There are several different ways in which AWS adheres to compliance, though the cloud provider may not hold a certification for every regulation or standard.

Some compliance certifications are confirmed through instruments such as letters of compliance. These are the results of independent inspections confirming AWS has successfully met the requirement objectives of certain regulations. For example, AWS reports a letter of compliance for the Australian Government’s Information Security Manual, a letter of certification for Australian Signals Directorate controls and an independent audit of Service Organization Controls 3 adherence. The Multi-Tier Cloud Security Standard Level-3 Certification meets Singapore Standard 584:2013. AWS, in particular, is certified to several international standards including ISO 9001 for quality management, ISO 27001 targeting information security and ISO 27018 for cloud privacy.

In addition to these certifications, AWS also provides different “assurance programs,” which are intended to validate the business compared to established domestic and global compliance standards, though don’t convey the actual certification. For example, AWS manages a PCI DSS assurance program, but this only validates that the services are PCI-compliant; it’s up to the actual merchant to obtain PCI certification. However, AWS does provide services that are consistent with the merchant’s processing and data storage regulatory requirements. Similarly, AWS manages a Health Insurance Portability and Accountability Act (HIPAA) assurance program for healthcare organizations, but AWS is not HIPAA-certified.

There are other examples where AWS meets compliance requirements without holding a direct certification. AWS is a FedRAMP-compliant cloud service provider with authorization from the U.S. Department of Health and Human Services.

The public cloud provider also complies with Criminal Justice Information Services security policy requirements and with NIST 800-171 guidelines for the protection of controlled unclassified information on nonfederal systems. And it complies with the Family Educational Rights and Privacy Act of 1974 and may support use by educational agencies and institutions.

AWS also meets the requirements of the following organizations and associations, among others:

E.U. Directive 95/46/EC
Department of Defense (DoD) provisional authorizations at level 2 and level 4
G-Cloud in the U.K., Service Organization Control (SOC) 1 and 2
International Traffic in Arms Regulations
Federal Information Processing Standard (FIPS)
DoD Information Assurance Certification and Accreditation Process (DIACAP)
Food and Drug Administration (FDA)
Motion Picture Association of America
Cloud Security Alliance (CSA)
It’s worth reviewing the complete list of current AWS certifications and assurance programs periodically to check for changes or additions. AWS also communicates with its customers to determine their needs in an attempt to implement those compliance suggestions.

Where AWS, Azure and Google stand on compliance
AWS is not the only public cloud provider to address enterprise compliance concerns. While AWS lists 25 separate certification and assurance programs, Microsoft Azure lists 27 certifications and programs.

Azure meets many of the same compliance standards as AWS does, including ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2. Additionally, Azure undergoes third-party audits to verify strict security controls remain in place, and Microsoft offers those audit results to its cloud customers.

Microsoft also claims to be the first cloud provider to adopt the uniform international code of practice for cloud privacy, ISO/IEC 27018. Like AWS, Azure also holds compliance certifications with the EU, FIPS, DIACAP, FDA and CSA.

Google appears to take a more modest approach, listing independent audits for just six certification or compliance programs. But don’t focus on numbers. The number of supported compliance programs will inevitably change over time.

Ultimately, the total number of compliance programs that a cloud provider sponsors isn’t important. What really matters is that the provider meets the requirements of standards and compliance certifications that your business needs. Before evaluating or engaging a public cloud provider, determine the regulations that affect your business or industry, and then use those criteria to help narrow the provider search.