AWS Services and Customer Responsibility Matrix For Alignment To The CSF.4dc4a98c

Category Subcategory Informative References AWS Implementation/Enablers/Processes AWS Services and Responsibility Customer Responsibility
AWS Certifications, AWS Resource Tagging, AWS Config, AWS In alignment with ISO 27001 standards, AWS Hardware assets CM-8: AWS customers are responsible for developing,
Config Rules, AWS Cloud Formation, AWS CloudTrail, AWS are assigned an owner, tracked and monitored by the AWS documenting, reviewing, and updating at an organization-
CloudWatch Logs, Customer Responsibility personnel with AWS proprietary inventory management tools. defined frequency an inventory of system components for
AWS procurement and supply chain team maintain their systems. AWS customers are responsible verifying that
relationships with all AWS suppliers. Refer to ISO 27001 the inventory: 1) Accurately reflects the current system, 2)
standards; Annex A, domain 8 for additional details. AWS has Includes all components within the authorization boundary, 3)
been validated and certified by an independent auditor to Is at the level of granularity deemed necessary for tracking and
confirm alignment with ISO 27001 certification standard. reporting, and 4) Includes the information prescribed by the
configuration management policy that is deemed necessary to
achieve effective information system component
accountability.
• CCS CSC 1
With AWS Config, customers can discover existing and deleted
• COBIT 5 BAI09.01, BAI09.02 AWS resources, determine your overall compliance against
rules, and dive into configuration details of a resource at any
• ISA 62443-2-1:2009 4.2.3.4 point in time. These capabilities enable compliance auditing,
ID.AM-1: Physical devices and systems • ISA 62443-3-3:2013 SR 7.8
within the organization are inventoried security analysis, resource change tracking, and
troubleshooting.
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
Customers can leverage the logging of API or console actions
• NIST SP 800-53 Rev. 4 CM-8 (e.g., log if someone changes a bucket policy, stops and
instance, etc.), allowing advanced monitoring capabilities.
Amazon CloudWatch is a web service that provides monitoring

for AWS cloud resources, starting with Amazon EC2. It
provides customers with visibility into resource utilization,
operational performance, and overall demand patterns
AWS Certifications, AWS Resource Tagging, AWS Config, AWS AWS has established an information security framework and CM-8: AWS customers are responsible for developing,
Config Rules, AWS Cloud Formation, AWS CloudTrail, AWS policies and has effectively integrated the ISO 27001 certifiable documenting, reviewing, and updating at an organization-
CloudWatch Logs, Customer Responsibility framework based on ISO 27002 controls, American Institute of defined frequency an inventory of system components for
Certified Public Accountants (AICPA) Trust Services Principles, their systems. AWS customers are responsible verifying that
the PCI DSS v3.1 and the National Institute of Standards and the inventory: 1) Accurately reflects the current system, 2)
Technology (NIST) Publication 800-53 (Recommended Security Includes all components within the authorization boundary, 3)
Controls for Federal Information Systems). Is at the level of granularity deemed necessary for tracking and
reporting, and 4) Includes the information prescribed by the
Customers retain the control and responsibility of their data configuration management policy that is deemed necessary to
and associated media assets. It is the responsibility of the achieve effective information system component
customer to manage mobile security devices and the access to accountability.
the customer’s content.
With AWS Config, customers can discover existing and deleted
AWS resources, determine your overall compliance against
rules, and dive into configuration details of a resource at any
point in time. These capabilities enable compliance auditing,
security analysis, resource change tracking, and
troubleshooting. AWS’s alignment with ISO 27018 has been
validated by an independent third party assessor. ISO 27018 is
• CCS CSC 2 the first International code of practice that focuses on
protection of personal data in the cloud. It is based on ISO
• COBIT 5 BAI09.01, BAI09.02, BAI09.05 information security standard 27002 and provides
ID.AM-2: Software platforms and implementation guidance on ISO 27002 controls applicable to
applications within the organization are • ISA 62443-2-1:2009 4.2.3.4 Personally Identifiable Information (PII) processed by public
inventoried • ISA 62443-3-3:2013 SR 7.8 cloud service providers. This demonstrates to customers that
AWS has a system of controls in place that specifically address
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 the privacy protection of their content.
• NIST SP 800-53 Rev. 4 CM-8 Customers can leverage the logging of API or console actions
(e.g., log if someone changes a bucket policy, stops and
AWS Certifications, Customer Responsibility AWS Customers designate in which physical region their AC-4:AWS customers are responsible for configuring their
content will be located. AWS will not move customers' content systems and all interconnected systems to enforce their
from the selected regions without notifying the customer, approved information flow policies. This can be accomplished
unless required to comply with the law or requests of through configuration of Amazon Virtual Private Cloud
governmental entities. (Amazon VPC) network Access Control Lists (ACL) for
controlling inbound/outbound traffic at the subnet level and
Boundary protection devices that employ rule sets, access Amazon VPC security groups for controlling traffic at the
control lists (ACL), and configurations enforce the flow of instance level.
information between network fabrics. Several network fabrics
exist at Amazon, each separated by devices that control the CA-3: AWS customers are responsible for documenting,
flow of information between fabrics. The flow of information authorizing, reviewing, and updating Interconnection Security
between fabrics is established by approved authorizations, Agreements (ISAs) for connections between their system and
which exist as access control lists (ACL) which reside on these other systems that include the following information for each
devices. These devices control the flow of information connection: 1) Interface characteristics, 2) Security
between fabrics as mandated by these ACLs. ACLs are defined, requirements, and 3) The nature of the information
approved by appropriate personnel, managed and deployed communicated. AWS customers are responsible for reviewing
using AWS ACL-manage tool. Amazon’s Information Security and updating ISAs with at a frequency defined by their security
team approves these ACLs. Approved firewall rule sets and assessment and authorization policy.
access control lists between network fabrics restrict the flow
of information to specific information system services. Access CA-9: AWS customers are responsible for documenting and
control lists and rule sets are reviewed and approved, and are authorizing internal system connections for organization-
automatically pushed to boundary protection devices on a defined system components or classes of components. For
periodic basis (at least every 24 hours) to ensure rule-sets and each internal connection, the interface characteristics, security
access control lists are up-to-date. AWS Network Management requirements, and the nature of the information
is regularly reviewed by independent third-party auditors as a communicated should be documented in accordance with the
part of AWS ongoing compliance with SOC, PCI DSS, ISO 27001 security assessment and authorization policy.
• CCS CSC 1 and FedRAMP. AWS implements least privilege throughout.
PL-8: AWS customers are responsible for developing an
• COBIT 5 DSS05.02 information security architecture for the information system
that: 1) Describes the overall philosophy, requirements, and
ID.AM-3: Organizational communication and • ISA 62443-2-1:2009 4.2.3.4 approach to be taken with regard to protecting the
data flows are mapped confidentiality, integrity, and availability of organizational
• ISO/IEC 27001:2013 A.13.2.1 information, 2) Describes how the information security
architecture is integrated into and supports the enterprise
• NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, architecture, and 3) Describes any information security
PL-8 assumptions about and dependencies on external services.
Customers have the responsibility to implement an

organizational communication and data flow maps using AWS
native log, auditing and configuration management features.
Additionally, AWS billing provides a comprehensive usage
report.
AWS Certifications, Customer Responsibility AC-20: AWS customers are responsible for establishing terms
and conditions with other organizations owning, operating,
and/or maintaining external information systems. Consistent
with any trust relationships established with these external
organizations and in accordance with their access control
policy AWS customers are responsible for authorizing
individuals to: 1) Access their system from an external
information system and 2) Process, store, or transmit
organization-controlled information using external information
systems. AWS customers are responsible for restricting or
prohibiting the use of organization-controlled portable storage
devices by authorized individuals on external information
systems.
Asset Management (ID.AM): The data,
personnel, devices, systems, and facilities SA-9: AWS customers are responsible for: 1) Requiring that
that enable the organization to achieve providers of external information system services comply with
business purposes are identified and • COBIT 5 APO02.02 organizational information security requirements and employ
managed consistent with their relative organization-defined security controls in accordance with
importance to business objectives and the ID.AM-4: External information systems are • ISO/IEC 27001:2013 A.11.2.6 applicable federal laws, Executive Orders, directives, policies,
organization’s risk strategy. catalogued regulations, standards, and guidance, 2) Defining and
• NIST SP 800-53 Rev. 4 AC-20, SA-9 documenting government oversight and user roles and
responsibilities with regard to external information system
services, and 3) Employing organization-defined processes,
methods, and techniques to monitor security control
compliance by external service providers on an ongoing basis.
AWS Tagging, Customer Responsibility AWS customers retain control and ownership of their data and CP-2: AWS customers are responsible for developing a
may implement a structured data-classification program to contingency plan for their system that: 1) Identifies essential
meet their requirements. missions and business functions and associated contingency
requirements, 2) Provides recovery objectives, restoration
priorities, and metrics, 3) Addresses contingency roles,
responsibilities, and assigned individuals with contact
information, 4) Addresses maintaining essential missions and
business functions despite an information system disruption,
compromise, or failure, 5) Addresses eventual, full information
system restoration without deterioration of the security
safeguards originally planned and implemented, and 6) Is
reviewed and approved by organization-defined personnel or
roles in accordance with the contingency planning policy.
RA-2: AWS customers are responsible for: 1) Categorizing their

information and their information system in accordance with
applicable federal laws, Executive Orders, directives, policies,
regulations, standards, and guidance, 2) Documenting the
security categorization results (including supporting rationale)
in the security plan for the information system, and 3)
Ensuring the security categorization decision is reviewed and
approved by the AO or authorizing official designated
representative.
• COBIT 5 APO03.03, APO03.04, BAI09.02 SA-14: AWS customers are responsible for identifying critical
information system components by performing analysis on
ID.AM-5: Resources (e.g., hardware, • ISA 62443-2-1:2009 4.2.3.6 their EC2 instance at a point defined within their SDLC
devices, data, and software) are prioritized policy/process.
based on their classification, criticality, and
• ISO/IEC 27001:2013 A.8.2.1
business value Customers can leverage the AWS Console which provides a
• NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14 summarized listing of IT resources by detailing usage of each
service by region.
Customers can leverage Glacier data inventory to show all IT

resources in Glacier. The AWS Management Console provides
real-time inventory of assets and data by showing all IT
resources running in AWS, by service.
AWS Certifications, IAM Policies, Customer Responsibility In alignment with ISO 27001 standard, all AWS employees CP-2: AWS customers are responsible for developing a
complete periodic role based training that includes AWS contingency plan for their system that: 1) Identifies essential
Security training and requires an acknowledgement to missions and business functions and associated contingency
complete. Compliance audits are periodically performed to requirements, 2) Provides recovery objectives, restoration
validate that employees understand and follow the priorities, and metrics, 3) Addresses contingency roles,
established policies. Refer to SOC reports for additional responsibilities, and assigned individuals with contact
details. information, 4) Addresses maintaining essential missions and
The AWS Cloud Security Whitepaper and the AWS Risk and compromise, or failure, 5) Addresses eventual, full information
Compliance Whitepaper provide details on the roles and system restoration without deterioration of the security
responsibilities of AWS and those of our Customers. The safeguards originally planned and implemented, and 6) Is
whitepapers area available at: reviewed and approved by organization-defined personnel or
http://aws.amazon.com/security and roles in accordance with the contingency planning policy.
http://aws.amazon.com/compliance.
PS-7: AWS customers are responsible for: 1) Establishing
personnel security requirements including security roles and
responsibilities for third-party providers, 2) Requiring third-
party providers to comply with personnel security policies and
procedures established by their organization, 3) Documenting
personnel security requirements, 4) Requiring third-party
providers to notify organization-defined personnel or roles of
any personnel transfers or terminations of third-party
personnel who possess organizational credentials and/or
badges or who have information system privileges within an
organization-defined time period, and 5) Monitoring provider
compliance.
PM-11: AWS customers are responsible for determining

information protection needs with regards to the required
security controls for the organization and the associated
information systems supporting the business processes. In
addition, AWS customers are responsible for revising the
information protection needs process as needed.
AWS CloudTrail allows customers to log API or console actions

(e.g., log if someone changes a bucket policy, stops and
• COBIT 5 APO01.02, DSS06.03
ID.AM-6: Cybersecurity roles and AWS IAM Multi-Factor Authentication allows enforcement of
• ISA 62443-2-1:2009 4.3.2.3.3 MFA across all resources by requiring a token to sign in and
responsibilities for the entire workforce and
third-party stakeholders (e.g., suppliers, access resources.
• ISO/IEC 27001:2013 A.6.1.1
customers, partners) are established
AWS IAM Permissions- Easily manage permissions by letting
• NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11 you specify who has access to AWS resources, and what
actions they can perform on those resources.
AWS IAM Policies- Achieve detailed, least-privilege access

management by allowing you to create multiple users within
your AWS account, assign them security credentials, and
manage their permissions.
AWS IAM Roles- Temporarily delegate access to users or

services that normally don't have access to your AWS
resources by defining a set of permissions to access the
resources that a user or service needs.
AWS Certifications, Customer Responsibility In alignment with ISO 27001 standards, AWS Hardware assets CP-2: AWS customers are responsible for developing a
are assigned an owner, tracked and monitored by the AWS contingency plan for their system that: 1) Identifies essential
personnel with AWS proprietary inventory management tools. missions and business functions and associated contingency
AWS procurement and supply chain team maintain requirements, 2) Provides recovery objectives, restoration
relationships with all AWS suppliers. Refer to ISO 27001 priorities, and metrics, 3) Addresses contingency roles,
standards; Annex A, domain 8 for additional details. AWS has responsibilities, and assigned individuals with contact
been validated and certified by an independent auditor to information, 4) Addresses maintaining essential missions and
confirm alignment with ISO 27001 certification standard. business functions despite an information system disruption,
AWS maintains formal agreements with key third party system restoration without deterioration of the security
suppliers and implements appropriate relationship safeguards originally planned and implemented, and 6) Is
management mechanisms in line with their relationship to the reviewed and approved by organization-defined personnel or
business. AWS' third party management processes are roles in accordance with the contingency planning policy.
reviewed by independent auditors as part of AWS ongoing
compliance with SOC and ISO 27001. SA-12: AWS customers are responsible for protecting against
• COBIT 5 APO08.04, APO08.05, APO10.03, supply chain threats to the information system, system
APO10.04, APO10.05 component, or information system service by employing
organization-defined security safeguards as part of a
ID.BE-1: The organization’s role in the comprehensive, defense-in-breadth information security
• ISO/IEC 27001:2013 A.15.1.3, A.15.2.1,
supply chain is identified and communicated A.15.2.2 strategy.
• NIST SP 800-53 Rev. 4 CP-2, SA-12 The customer can leverage AWS Artifact, which features a
comprehensive list of access-controlled documents relevant to
compliance and security in the AWS cloud.
AWS Certifications, Customer Responsibility In alignment with ISO 27001 standard, AWS maintains a Risk PM-8: AWS customers are responsible for prioritizing critical
Management program to mitigate and manage risk. In addition assets, and developing a critical infrastructure and key
AWS maintains an AWS ISO 27018 certification. Alignment resources protection strategy plan.
with ISO 27018 demonstrates to customers that AWS has a
system of controls in place that specifically address the privacy The customer can leverage AWS Artifact, which features a
protection of their content. comprehensive list of access-controlled documents relevant to
ID.BE-2: The organization’s place in critical • COBIT 5 APO02.06, APO03.01 Updates to AWS security policies, procedures, standards and
infrastructure and its industry sector is controls occur on an annual basis in alignment with the ISO
identified and communicated • NIST SP 800-53 Rev. 4 PM-8 27001 standard.
Customer Responsibility In alignment with ISO 27001 standard, AWS maintains a Risk PM-11: AWS customers are responsible for determining
Management program to mitigate and manage risk. In addition information protection needs with regards to the required
AWS maintains an AWS ISO 27018 certification. Alignment security controls for the organization and the associated
with ISO 27018 demonstrates to customers that AWS has a information systems supporting the business processes. In
system of controls in place that specifically address the privacy addition, AWS customers are responsible for revising the
protection of their content. information protection needs process as needed.
Updates to AWS security policies, procedures, standards and SA-14: AWS customers are responsible for identifying critical
controls occur on an annual basis in alignment with the ISO information system components by performing analysis on
• COBIT 5 APO02.01, APO02.06, APO03.01 27001 standard. their EC2 instance at a point defined within their SDLC
ID.BE-3: Priorities for organizational mission, policy/process.
objectives, and activities are established and • ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6
communicated The customer can leverage AWS Artifact, which features a
Business Environment (ID.BE): The • NIST SP 800-53 Rev. 4 PM-11, SA-14 comprehensive list of access-controlled documents relevant to
organization’s mission, objectives, compliance and security in the AWS cloud.
stakeholders, and activities are understood
and prioritized; this information is used to
inform cybersecurity roles, responsibilities,
and risk management decisions.
AWS Certifications, AWS Best Practices & Reference In alignment with ISO 27001 standard, AWS maintains a Risk CP-8, PE-9, PE-11: Customers are not responsible for these
Architectures, Customer Responsibility Management program to mitigate and manage risk. In addition controls as they will be inherited from AWS.
AWS maintains an AWS ISO 27018 certification. Alignment
with ISO 27018 demonstrates to customers that AWS has a PM-8: AWS customers are responsible for prioritizing critical
system of controls in place that specifically address the privacy assets, and developing a critical infrastructure and key
protection of their content. resources protection strategy plan.
Updates to AWS security policies, procedures, standards and SA-14: AWS customers are responsible for identifying critical
• ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, controls occur on an annual basis in alignment with the ISO information system components by performing analysis on
A.12.1.3 27001 standard. their EC2 instance at a point defined within their SDLC
ID.BE-4: Dependencies and critical functions policy/process.
for delivery of critical services are
established • NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11,
PM-8, SA-14 The customer can leverage AWS Artifact, which features a
AWS Certifications, AWS Best Practices & Reference AWS Business Continuity Policies and Plans have been CP-2: AWS customers are responsible for developing a
Architectures, Customer Responsibility developed and tested in alignment with ISO 27001 standards. contingency plan for their system that: 1) Identifies essential
Refer to ISO 27001 standard, annex A domain 17 for further missions and business functions and associated contingency
details on AWS and business continuity. requirements, 2) Provides recovery objectives, restoration
roles in accordance with the contingency planning policy.
CP-11: AWS customers are responsible for providing
alternative measures of communication to support continuity
of operations.
• COBIT 5 DSS04.02 SA-14: AWS customers are responsible for identifying critical
ID.BE-5: Resilience requirements to support • ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, their EC2 instance at a point defined within their SDLC
delivery of critical services are established A.17.1.2, A.17.2.1 policy/process.
• NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 AWS provides customers with the capability to implement a
robust continuity plan, including the utilization of frequent
server instance back-ups, data redundancy replication, and
multi-region/availability zone deployment architectures.
AWS Certifications, AWS Best Practices & Reference AWS has established information security framework and All -1 Controls: AWS customers are responsible for developing,
Architectures, Customer Responsibility policies which have integrated the ISO 27001 certifiable documenting, maintaining, disseminating, and implementing
framework based on ISO 27002 controls, American Institute of an access control policy and supporting procedures. AWS
Certified Public Accountants (AICPA) Trust Services Principles, customers are responsible for reviewing and updating the
PCI DSS v3.1 and National Institute of Standards and policy and procedures at a frequency defined by their
• COBIT 5 APO01.03, EDM01.01, EDM01.02 Technology (NIST) Publication 800-53 (Recommended Security organization.
Controls for Federal Information Systems). AWS manages
• ISA 62443-2-1:2009 4.3.2.6 third-party relationships in alignment with ISO 27001 The customer can leverage AWS Artifact, which features a
ID.GV-1: Organizational information security standards. AWS Third Party requirements are reviewed by comprehensive list of access-controlled documents relevant to
policy is established • ISO/IEC 27001:2013 A.5.1.1 independent external compliance and security in the AWS cloud.
auditors during audits for our PCI DSS, ISO 27001 and
• NIST SP 800-53 Rev. 4 -1 controls from all FedRAMP compliance.
families
AWS Certifications, Customer Responsibility AWS provides security policies and security training to PM-1: AWS customers are responsible for developing,
employees to educate them as to their role and documenting, maintaining, disseminating, and implementing
responsibilities concerning information security. Employees an access control policy and supporting procedures. AWS
who violate Amazon standards or protocols are investigated customers are responsible for reviewing and updating the
and appropriate disciplinary action (e.g. warning, performance policy and procedures at a frequency defined by their
plan, suspension, and/or termination) is followed. Refer to the organization.
AWS Cloud Security Whitepaper for additional details -
available at http://aws.amazon.com/security. Refer to ISO PS-7: AWS customers are responsible for: 1) Establishing
27001 Annex A, domain 7 for additional details. AWS has been personnel security requirements including security roles and
validated and certified by an independent auditor to confirm responsibilities for third-party providers, 2) Requiring third-
alignment with ISO 27001 certification standard. party providers to comply with personnel security policies and
procedures established by their organization, 3) Documenting
personnel security requirements, 4) Requiring third-party
providers to notify organization-defined personnel or roles of
any personnel transfers or terminations of third-party
personnel who possess organizational credentials and/or
badges or who have information system privileges within an
• COBIT 5 APO13.12 organization-defined time period, and 5) Monitoring provider
compliance.
ID.GV-2: Information security roles & • ISA 62443-2-1:2009 4.3.2.3.3
responsibilities are coordinated and aligned IAM Policies allow customers to achieve detailed, least-
with internal roles and external partners • ISO/IEC 27001:2013 A.6.1.1, A.7.2.1 privilege access management by allowing you to create
multiple users within your AWS account, assign them security
• NIST SP 800-53 Rev. 4 PM-1, PS-7 credentials, and manage their permissions. IAM Roles allows
the customer to temporarily delegate access to users or
services that normally don't have access to your AWS
resources by defining a set of permissions to access the
resources that a user or service needs.
Governance (ID.GV): The policies,

procedures, and processes to manage and
monitor the organization’s regulatory, legal,
risk, environmental, and operational
requirements are understood and inform AWS Certifications, Customer Responsibility AWS’s alignment with ISO 27018 has been validated by an All -1 Controls except PM-1: AWS customers are responsible
the management of cybersecurity risk. independent third party assessor. ISO 27018 is the first for developing, documenting, maintaining, disseminating, and
International code of practice that focuses on protection of implementing a risk assessment policy along with supporting
personal data in the cloud. It is based on ISO information procedures. AWS customers are responsible for reviewing and
security standard 27002 and provides implementation updating the policy and procedures at a frequency defined by
guidance on ISO 27002 controls applicable to Personally their organization.
Identifiable Information (PII) processed by public cloud service
• COBIT 5 MEA03.01, MEA03.04 providers. This demonstrates to customers that AWS has a AWS Config enables customers to discover existing and
system of controls in place that specifically address the privacy deleted AWS resources, determine your overall compliance
ID.GV-3: Legal and regulatory requirements • ISA 62443-2-1:2009 4.4.3.7 protection of their content. against rules, and dive into configuration details of a resource
regarding cybersecurity, including privacy at any point in time. These capabilities enable compliance
and civil liberties obligations, are • ISO/IEC 27001:2013 A.18.1 auditing, security analysis, resource change tracking, and
understood and managed troubleshooting.
• NIST SP 800-53 Rev. 4 -1 controls from all
families (except PM-1)
Governance (ID.GV): The policies,
procedures, and processes to manage and
monitor the organization’s regulatory, legal,
risk, environmental, and operational
requirements are understood and inform
the management of cybersecurity risk.
AWS Certifications, Customer Responsibility AWS management has developed a strategic business plan PM-9: AWS customers are responsible for developing a risk
which includes risk identification and the implementation of management strategy and implementing this strategy across
controls to mitigate or manage risks. AWS management re- the organization. In addition, AWS customers are responsible
evaluates the strategic business plan at least biannually. This for reviewing and updating the risk management strategy in
process requires management to identify risks within its areas accordance with their organizations policy.
of responsibility and to implement appropriate measures
designed to address those risks. PM-11: AWS customers are responsible for determining
In addition, the AWS control environment is subject to various security controls for the organization and the associated
internal and external risk assessments. AWS’ Compliance and information systems supporting the business processes. In
Security teams have established an information security addition, AWS customers are responsible for revising the
framework and policies based on the Control Objectives for information protection needs process as needed.
Information and related Technology (COBIT) framework and
have effectively integrated the ISO 27001 certifiable The customer can leverage AWS Artifact, which features a
framework based on ISO 27002 controls, American Institute of comprehensive list of access-controlled documents relevant to
• COBIT 5 DSS04.02 Certified Public Accountants (AICPA) Trust Services Principles, compliance and security in the AWS cloud.
the PCI DSS v3.2, and the National Institute of Standards and
ID.GV-4: Governance and risk management • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, Technology (NIST) Publication 800-53 Rev 3 (Recommended
processes address cybersecurity risks 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3 Security Controls for Federal Information Systems). AWS
maintains the security policy, provides security training to
• NIST SP 800-53 Rev. 4 PM-9, PM-11 employees, and performs application security reviews. These
reviews assess the confidentiality, integrity, and availability of
data, as well as conformance to the information security
policy.
AWS Certifications, Customer Responsibility AWS is responsible for patching systems supporting the CA-2: AWS customers are responsible for conducting security
delivery of service to customers, such as the hypervisor and assessments for their systems. Within this context and in
networking services. This is done as required per AWS policy accordance with their security assessment and authorization
and in accordance with ISO 27001, NIST, and PCI policy, AWS customers are responsible for: 1) Developing a
requirements. Customers control their own guest operating security assessment plan that describes the security controls
systems, software and applications and are therefore and control enhancements under assessment, assessment
responsible for patching their own systems. procedures used to determine effectiveness, the assessment
environment, the assessment team, and the assessment roles
and responsibilities, 2) Assessing security controls in their
system and its environment of operation at an organization-
defined frequency to determine the extent to which the
controls are implemented correctly, operating as intended,
and producing the desired outcome with respect to meeting
established security requirements, 3) Producing a security
assessment report that documents the results of the
assessment, and 4) Providing the results of the security control
assessment to their organization-defined individuals or roles.
CA-7: AWS customers are responsible for developing a

continuous monitoring strategy and implementing a
continuous monitoring program in accordance with their
security assessment and authorization policy that defines: 1)
Metrics to be monitored, 2) Frequencies for monitoring and
reporting, and 3) Personnel or roles responsible for conducting
and receiving continuous monitoring analysis information.
Pursuant to this continuous monitoring program, AWS
customers are responsible for: 1) Establishing and configuring
monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3)
Conducting ongoing security control assessments, 4)
Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing
security-related information generated by assessments and
monitoring, 5) Taking appropriate response actions to address
the results of the analysis of security-related information, and
6) Reporting the security status of their organization and the
information system to the organization-defined personnel or
roles at the organization-defined frequency.
CA-8: AWS customers are responsible for conducting

penetration testing on organization-defined systems or system
components at a frequency prescribed by their security
assessment and authorization policy.
RA-3:AWS customers are responsible for: 1) Conducting an

assessment of risk to include the likelihood and magnitude of
harm from the unauthorized access, use, disclosure,
disruption, modification, or destruction of their information
system and the information it processes, stores, or transmits,
2) Documenting risk assessment results in the system plan,
security assessment report, or other organization-defined
document, 3) Reviewing risk assessment results at an
organization-defined frequency, 4) Disseminating risk
assessment results to organization-defined personnel or roles,
and 5) Updating the risk assessment at an organization-
defined frequency or whenever there are significant changes
to the information system or environment of operation
(including the identification of new threats and vulnerabilities)
or other conditions that may impact the security state of the
system.
RA-5: AWS customers are responsible for: 1) Scanning for

vulnerabilities in their information system and hosted
• CCS CSC 4 applications at an organization-defined frequency and/or
randomly in accordance with their organization-defined
• COBIT 5 APO12.01, APO12.02, APO12.03, process and when new vulnerabilities potentially affecting the
APO12.04 system/applications are identified and reported; 2) Employing
vulnerability scanning tools and techniques that promote
ID.RA-1: Asset vulnerabilities are identified • ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, interoperability among tools and automated parts of the
and documented 4.2.3.12 vulnerability management process by using standards for: a)
Enumerating platforms, software flaws, and improper
• ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 configurations, b) Formatting and making transparent
checklists and test procedures, and c) Measuring vulnerability
• NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, impact; 3) Analyzing vulnerability scan reports and results
RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 from security control assessments; 4) Remediating legitimate
vulnerabilities within organization-defined response times in
accordance with an organizational assessment of risk; and 5)
Sharing information obtained from the vulnerability scanning
process and security control assessments with organization-
defined personnel or roles to help eliminate similar
vulnerabilities in other information systems (i.e., systemic
weaknesses or deficiencies).
SA-5: AWS customers are responsible for: 1) Obtaining

administrator documentation for their systems, system
components, or information system services that describes: a)
Secure configuration, installation, and operation of the system,
component, or service, b) Effective use and maintenance of
security functions/mechanisms, and c) Known vulnerabilities
regarding configuration and use of administrative (i.e.,
privileged) functions; 2) Obtaining user documentation for
their systems, system components, or information system
services that describes: a) User-accessible security
functions/mechanisms and how to effectively use those
security functions/mechanisms, b) Methods for user
interaction that enables individuals to use the system,
component, or service in a more secure manner, and c) User
responsibilities in maintaining the security of the system,
component, or service; 3) Documenting attempts to obtain
information system, system component, or information
system service documentation for their systems when such
documentation is either unavailable or nonexistent and taking
organization-defined actions in response; 4) Protecting
documentation as required and in accordance with their
system and services acquisition policy; and 5) Distributing
documentation to organization-defined personnel or role.
SA-11: AWS customers are responsible for requiring the

developer of their information system, system component, or
information system service to: 1) Create and implement a
security assessment plan, 2) Perform unit, integration, system,
and/or regression testing/evaluation at organization-defined
depth and coverage, 3) Produce evidence of the execution of
the security assessment plan and the results of the security
testing/evaluation, 4) Implement a verifiable flaw remediation
process, and 5) Correct flaws identified during security
testing/evaluation.
SI-2: AWS customers are responsible for: 1) Identifying,

reporting, and correcting information system flaws, 2) Testing
software and firmware updates related to flaw remediation for
effectiveness and potential side effects before installation, 3)
Installing security-relevant software and firmware updates
within an organization-defined time period of the release of
the updates, and 4) Incorporating flaw remediation into the
organizational configuration management process.
SI-4: AWS customers are responsible for: 1) Monitoring their

information system to detect: a) Attacks and indicators of
potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and
remote connections; 2) Identifying unauthorized use of the
information system through organization-defined techniques
and methods; 3) Deploying monitoring devices: a) Strategically
within the information system to collect organization-
determined essential information and b) At ad hoc locations
within the system to track specific types of transactions of
interest to their organization; 4) Protecting information
obtained from intrusion-monitoring tools from unauthorized
AWS Certifications, Customer Responsibility PM-15: AWS customers
access, modification, andare responsible
deletion; for maintaining
5) Heightening the level of
ongoing contract
information systemwith security groups
monitoring activityand associations
whenever thereto; 1)
is an
Facilitate
indicationongoing security
of increased riskeducation and training
to organizational for and
operations
organizational personnel,
assets, individuals, 2) Maintain currency
other organizations, with based on
or the Nation
recommended
law enforcement security practices,
information, techniques,
intelligence and
information, or
technologies,
other credibleand 3)Share
sources current security-related
of information; 6) Obtaininginformation
legal
including threats,
opinion with regardvulnerabilities,
to information and incidents.
system monitoring
activities in accordance with applicable federal laws, Executive
PM-16: AWS customers
Orders, directives, areor
policies, responsible
regulations;forand
implementing
7) Providinga
threat awareness program
organization-defined that has
information the capability
system to share
monitoring
information across the organization. personnel or roles as
to organization-defined
needed or in accordance with an organization-defined
SI-5: AWS customers are responsible for: 1) Receiving
frequency.
information system security alerts, advisories, and directives
from organization-defined
SI-5: AWS external organizations
customers are responsible on an
for: 1) Receiving
ongoing basis,
information 2) Generating
system internal
security alerts, security alerts,
advisories, and directives
advisories, and directives asexternal
from organization-defined deemedorganizations
necessary, 3)on an
Disseminating
ongoing basis, security alerts,internal
2) Generating advisories, and directives
security alerts, to
• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, organization-defined
advisories, and directivespersonnel,
as deemed roles,necessary,
organizational
3) elements
4.2.3.12 and/or externalsecurity
Disseminating organizations, and 4) Implementing
alerts, advisories, and directivessecurity
to
ID.RA-2: Threat and vulnerability
information is received from information directives in accordance
organization-defined with established
personnel, time frameselements
roles, organizational or
sharing forums and sources • ISO/IEC 27001:2013 A.6.1.4 notifying the issuing
and/or external organization
organizations, andof4)the degree of security
Implementing
noncompliance.
directives in accordance with established time frames or
• NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5 notifying the issuing organization of the degree of
AWS customers are responsible for employing automated
noncompliance.
mechanisms to make security alert and advisory information
available throughout
AWS Customers retaintheir
the organization.
responsibility to monitor their own
environment for privacy breaches. The AWS SOC reports
provides an overview of the controls in place to monitor AWS
managed environment.
AWS Certifications, Customer Responsibility, AWS Trusted AWS Security regularly scans all Internet facing service RA-3: AWS customers are responsible for: 1) Conducting an
Advisor endpoint IP addresses for vulnerabilities (these scans do not assessment of risk to include the likelihood and magnitude of
include customer instances). AWS Security notifies the harm from the unauthorized access, use, disclosure,
appropriate parties to remediate any identified vulnerabilities. disruption, modification, or destruction of their information
In addition, external vulnerability threat assessments are system and the information it processes, stores, or transmits,
performed regularly by independent security firms. Findings 2) Documenting risk assessment results in the system plan,
and recommendations resulting from these assessments are security assessment report, or other organization-defined
categorized and delivered to AWS leadership. In addition, the document, 3) Reviewing risk assessment results at an
AWS control environment is subject to regular internal and organization-defined frequency, 4) Disseminating risk
Risk Assessment (ID.RA): The organization external risk assessments. AWS engages with external assessment results to organization-defined personnel or roles,
understands the cybersecurity risk to certifying bodies and independent auditors to review and test and 5) Updating the risk assessment at an organization-
organizational operations (including mission, the AWS overall control environment. AWS security controls defined frequency or whenever there are significant changes
functions, image, or reputation), are reviewed by independent external auditors during audits to the information system or environment of operation
organizational assets, and individuals. for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance. (including the identification of new threats and vulnerabilities)
or other conditions that may impact the security state of the
system.
SI-5: AWS customers are responsible for: 1) Receiving

information system security alerts, advisories, and directives
from organization-defined external organizations on an
ongoing basis, 2) Generating internal security alerts,
advisories, and directives as deemed necessary, 3)
Disseminating security alerts, advisories, and directives to
organization-defined personnel, roles, organizational elements
and/or external organizations, and 4) Implementing security
• COBIT 5 APO12.01, APO12.02, APO12.03, directives in accordance with established time frames or
APO12.04 notifying the issuing organization of the degree of
noncompliance.
ID.RA-3: Threats, both internal and external, • ISA 62443-2-1:2009 4.2.3, 4.2.3.9,
are identified and documented 4.2.3.12 PM-12: AWS customers are responsible for implementing an
insider threat training program and incorporating this program
• NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, with the incident handling team.
PM-16
PM-16: AWS customers are responsible for implementing a
threat awareness program that has the capability to share
information across the organization.
Customers can perform security scans on customer managed

assets using traditional tools and processes.
AWS Certifications, Customer Responsibility AWS Security regularly scans all Internet facing service RA-2: AWS customers are responsible for: 1) Categorizing
endpoint IP addresses for vulnerabilities (these scans do not their information and their information system in accordance
include customer instances). AWS Security notifies the with applicable federal laws, Executive Orders, directives,
appropriate parties to remediate any identified vulnerabilities. policies, regulations, standards, and guidance, 2)
In addition, external vulnerability threat assessments are Documenting the security categorization results (including
performed regularly by independent security firms. Findings supporting rationale) in the security plan for the information
and recommendations resulting from these assessments are system, and 3) Ensuring the security categorization decision is
categorized and delivered to AWS leadership. In addition, the reviewed and approved by the AO or authorizing official
AWS control environment is subject to regular internal and designated representative.
external risk assessments. AWS engages with external
certifying bodies and independent auditors to review and test RA-3: AWS customers are responsible for: 1) Conducting an
the AWS overall control environment. AWS security controls assessment of risk to include the likelihood and magnitude of
are reviewed by independent external auditors during audits harm from the unauthorized access, use, disclosure,
for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance. disruption, modification, or destruction of their information
assessment results to organization-defined personnel or
roles, and 5) Updating the risk assessment at an organization-
(including the identification of new threats and
vulnerabilities) or other conditions that may impact the
security state of the system.
PM-9: AWS customers are responsible for developing a risk

management strategy and implementing this strategy across
the organization. In addition, AWS customers are responsible
for reviewing and updating the risk management strategy in
• COBIT 5 DSS04.02 accordance with their organizations policy.
• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, PM-11: AWS customers are responsible for determining
ID.RA-4: Potential business impacts and 4.2.3.12
likelihoods are identified information protection needs with regards to the required
• NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, information systems supporting the business processes. In
PM-11, SA-14 addition, AWS customers are responsible for revising the
SA-14: AWS customers are responsible for identifying critical

their EC2 instance at a point defined within their SDLC
policy/process.

include customer instances). AWS Security notifies the with applicable federal laws, Executive Orders, directives,
appropriate parties to remediate any identified vulnerabilities. policies, regulations, standards, and guidance, 2)
In addition, external vulnerability threat assessments are Documenting the security categorization results (including
performed regularly by independent security firms. Findings supporting rationale) in the security plan for the information
and recommendations resulting from these assessments are system, and 3) Ensuring the security categorization decision is
categorized and delivered to AWS leadership. In addition, the reviewed and approved by the AO or authorizing official
AWS control environment is subject to regular internal and designated representative.
assessment results to organization-defined personnel or
roles, and 5) Updating the risk assessment at an organization-
(including the identification of new threats and
vulnerabilities) or other conditions that may impact the
security state of the system.
PM-9: AWS customers are responsible for developing a risk

• COBIT 5 DSS04.02 accordance with their organizations policy.
ID.RA-4: Potential business impacts and • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, PM-11: AWS customers are responsible for determining
4.2.3.12 information protection needs with regards to the required
likelihoods are identified
• NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, information systems supporting the business processes. In
PM-11, SA-14 addition, AWS customers are responsible for revising the
SA-14: AWS customers are responsible for identifying critical

policy/process.

AWS Certifications, Customer Responsibility AWS Security regularly scans all Internet facing service RA-2: AWS customers are responsible for: 1) Categorizing their
endpoint IP addresses for vulnerabilities (these scans do not information and their information system in accordance with
include customer instances). AWS Security notifies the applicable federal laws, Executive Orders, directives, policies,
appropriate parties to remediate any identified vulnerabilities. regulations, standards, and guidance, 2) Documenting the
In addition, external vulnerability threat assessments are security categorization results (including supporting rationale)
performed regularly by independent security firms. Findings in the security plan for the information system, and 3)
and recommendations resulting from these assessments are Ensuring the security categorization decision is reviewed and
categorized and delivered to AWS leadership. In addition, the approved by the AO or authorizing official designated
AWS control environment is subject to regular internal and representative.
assessment results to organization-defined personnel or roles,
and 5) Updating the risk assessment at an organization-
• COBIT 5 APO12.02 to the information system or environment of operation
(including the identification of new threats and vulnerabilities)
ID.RA-5: Threats, vulnerabilities, likelihoods, or other conditions that may impact the security state of the
• ISO/IEC 27001:2013 A.12.6.1
and impacts are used to determine risk system.
• NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
PM-16: AWS customers are responsible for implementing a
threat awareness program that has the capability to share
information across the organization.

AWS Certifications, Customer Responsibility AWS Security regularly scans all Internet facing service PM-4: AWS customers are responsible for; 1) Developing and
endpoint IP addresses for vulnerabilities (these scans do not maintaining a plan of action and milestones program, 2)
include customer instances). AWS Security notifies the Documenting the remediation actions taken, and 3) Reporting
appropriate parties to remediate any identified vulnerabilities. findings in accordance with OMB FISMA requirements. In
In addition, external vulnerability threat assessments are addition, AWS customers are responsible for reviewing plans
performed regularly by independent security firms. Findings of action and milestones for consistency with the
and recommendations resulting from these assessments are organizations risk management strategy.
categorized and delivered to AWS leadership. In addition, the
AWS control environment is subject to regular internal and PM-9: AWS customers are responsible for developing a risk
external risk assessments. AWS engages with external management strategy and implementing this strategy across
certifying bodies and independent auditors to review and test the organization. In addition, AWS customers are responsible
• COBIT 5 APO12.05, APO13.02 the AWS overall control environment. AWS security controls for reviewing and updating the risk management strategy in
ID.RA-6: Risk responses are identified and are reviewed by independent external auditors during audits accordance with their organizations policy.
prioritized for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance.
• NIST SP 800-53 Rev. 4 PM-4, PM-9
AWS Certifications, Customer Responsibility In alignment with ISO 27001 standard, AWS maintains a Risk PM-9: AWS customers are responsible for developing a risk
Management program to mitigate and manage risk. In addition management strategy and implementing this strategy across
AWS maintains an AWS ISO 27018 certification. Alignment the organization. In addition, AWS customers are responsible
with ISO 27018 demonstrates to customers that AWS has a for reviewing and updating the risk management strategy in
system of controls in place that specifically address the privacy accordance with their organizations policy.
protection of their content.
The customer can leverage AWS Artifact, which features a
The Control environment at Amazon begins at the highest comprehensive list of access-controlled documents relevant to
level of the Company. Executive and senior leadership play compliance and security in the AWS cloud.
important roles in establishing the Company's tone and core
• COBIT 5 APO12.04, APO12.05, APO13.02, values. Every employee is provided with the Company's Code
BAI02.03, BAI04.02 of Business Conduct and Ethics and completes periodic
ID.RM-1: Risk management processes are
established, managed, and agreed to by training. Compliance audits are performed so that employees
• ISA 62443-2-1:2009 4.3.4.2 understand and follow the established policies. Refer to AWS
organizational stakeholders
Risk & Compliance whitepaper for additional details - available
• NIST SP 800-53 Rev. 4 PM-9 at http://aws.amazon.com/compliance.
AWS Certifications, Customer Responsibility In alignment with ISO 27001 standard, AWS maintains a Risk PM-9: AWS customers are responsible for developing a risk
Management program to mitigate and manage risk. In addition management strategy and implementing this strategy across
AWS maintains an AWS ISO 27018 certification. Alignment the organization. In addition, AWS customers are responsible
with ISO 27018 demonstrates to customers that AWS has a for reviewing and updating the risk management strategy in
system of controls in place that specifically address the privacy accordance with their organizations policy.
• COBIT 5 APO12.06 protection of their content.
ID.RM-2: Organizational risk tolerance is comprehensive list of access-controlled documents relevant to
determined and clearly expressed • ISA 62443-2-1:2009 4.3.2.6.5
Risk Management Strategy (ID.RM): The • NIST SP 800-53 Rev. 4 PM-9
organization’s priorities, constraints, risk
tolerances, and assumptions are established
and used to support operational risk
decisions.
AWS Certifications, Customer Responsibility Updates to AWS security policies, procedures, standards and PM-8: AWS customers are responsible for prioritizing critical
controls occur on an annual basis in alignment with the ISO assets, and developing a critical infrastructure and key
27001 standard. Refer to ISO 27001 for additional information. resources protection strategy plan.
AWS has been validated and certified by an independent
auditor to confirm alignment with ISO 27001 certification. PM-9: AWS customers are responsible for developing a risk
accordance with their organizations policy.
PM-11: AWS customers are responsible for determining

information systems supporting the business processes. In
addition, AWS customers are responsible for revising the
ID.RM-3: The organization’s determination information protection needs process as needed.
of risk tolerance is informed by its role in • NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-
critical infrastructure and sector specific risk 11, SA-14 SA-14: AWS customers are responsible for identifying critical
analysis information system components by performing analysis on
policy/process.

• COBIT 5 DSS05.04, DSS06.03 AWS IAM Policies & Roles/Customer Responsibility AWS User access privileges are restricted based on business AC-2: AWS customers are responsible for managing accounts
need and job responsibilities. AWS employs the concept of associated with their applications hosted on AWS. AWS
• ISA 62443-2-1:2009 4.3.3.5.1 least privilege, allowing only the necessary access for users to customers are responsible for properly using AWS Identity and
PR.AC-1: Identities and credentials are • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, accomplish their job function. Access Management (IAM) to create and manage user
managed for authorized devices and users SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 accounts and to enforce access within their Amazon Elastic
Compute Cloud (Amazon EC2) instances and all applications
• ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, they install.
A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
• ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 AWS Certifications Physical access to all AWS data centers housing IT PE-2, PE-3, PE-4, PE-5, PE-6, PE-9: Customers are not
infrastructure components is restricted to authorized data responsible for these controls as they will be inherited from
PR.AC-2: Physical access to assets is center employees, vendors, and contractors who require AWS. In addition, customers do not have physical access to
managed and protected • ISO/IEC 27001:2013 A.11.1.1, A.11.1.2,
A.11.1.4, A.11.1.6, A.11.2.3 access in order to execute their jobs. Access to facilities is only AWS assets.
permitted at controlled access points requiring multi-factor
authentication designed toauthentication
prevent tailgating
overand ensure that
Access Control (PR.AC): Access to assets and •• NIST SP 800-53 Rev. 4.3.3.6.6
ISA 62443-2-1:2009 4 PE-2, PE-3, PE-4, AWS Certifications, Customer Responsibility, AWS IAM (MFA) AWS requires multi-factor an approved AC-17: AWS customers are responsible for establishing and
• ISA 62443-3-3:2013 SR 1.13, SR 2.6 cryptographic channel for authentication to the internal AWS documenting usage restrictions, configuration/connection
associated facilities is limited to authorized network from remote locations. Remote access to AWS requirements, and implementation guidance for each type of
users, processes, or devices, and to PR.AC-3: Remote access is managed production environments is limited to defined security groups. remote access allowed to their systems in accordance with
authorized activities and transactions. • ISO/IEC 27001:2013 A.6.2.2, A.13.1.1,
A.13.2.1 The addition of members into a group must be reviewed and their access control policy. AWS customers are responsible for
approved by authorized individuals who confirm the user’s authorizing remote access to their systems prior to allowing
• NIST SP 800-53 Rev. 4 AC‑17, AC-19, AC- need for access to the environment. Baselining of groups (e.g., such connections.
• ISA 62443-2-1:2009 4.3.3.7.3 AWS IAM AWS User access privileges are restricted based on business AC-2: AWS customers are responsible for managing accounts
• ISA 62443-3-3:2013 SR 2.1 need and job responsibilities. AWS employs the concept of associated with their applications hosted on AWS. AWS
PR.AC-4: Access permissions are managed, least privilege, allowing only the necessary access for users to customers are responsible for properly using AWS Identity and
incorporating the principles of least privilege accomplish their job function. New user accounts are created Access Management (IAM) to create and manage user
and separation of duties • ISO/IEC 27001:2013 A.6.1.2, A.9.1.2,
A.9.2.3, A.9.4.1, A.9.4.4 to have minimal access. User access to AWS systems (for accounts and to enforce access within their Amazon Elastic
example, network, applications, tools, etc.) requires Compute Cloud (Amazon EC2) instances and all applications
• ISA 62443-2-1:2009 4.3.3.4 documented approval from the authorized personnel (for they install.
•• NIST SP 800-53 Rev. SR
ISA 62443-3-3:2013 4 AC-2, AC-3,
3.1, SR 3.8 AC-5, AWS VPC, Security Groups, ACL's/Customer Responsibility In order to allow for a more comprehensive monitoring of AC-4: AWS customers are responsible for configuring their
PR.AC-5: Network integrity is protected, inbound and outbound communications and network traffic, systems and all interconnected systems to enforce their
incorporating network segregation where • ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, AWS has strategically placed a limited number of access points approved information flow policies. This can be accomplished
appropriate A.13.2.1 to the cloud. These customer access points are called API through configuration of Amazon Virtual Private Cloud
endpoints, and they allow secure HTTP access (HTTPS), which (Amazon VPC) network Access Control Lists (ACL) for
• NIST SP 800-53 Rev. 4 AC-4, SC-7 AWS Certifications, Customer Responsibility allows
AWS has you to establish aformal,
implemented securedocumented
communication session with
security controlling inbound/outbound
AT-2: AWS customers traffic at
are responsible forthe subnet level
providing basicand
• COBIT 5 APO07.03, BAI05.07 awareness and training policy and procedures that address security awareness training to users (including managers,
purpose, scope, roles, responsibilities, management senior executives, and contractors): 1) As part of initial training
PR.AT-1: All users are informed and trained • ISA 62443-2-1:2009 4.3.2.4.2 commitment, coordination among organizational entities, and for new users, 2) When required by information system
compliance. The security awareness and training policy and changes, and 3) At a frequency defined by their organization
• ISO/IEC 27001:2013 A.7.2.2 procedures are reviewed and updated at least annually, or thereafter.
sooner if required due to information system changes. The
AWS Certifications, Customer Responsibility See PR.AT-1 AT-3: AWS customers are responsible for providing role-based
• COBIT 5 APO07.02, DSS06.03 security training to personnel with assigned security roles and
PR.AT-2: Privileged users understand roles responsibilities: 1) Before authorizing access or performing
& responsibilities • ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 assigned duties, 2) When required by information system
changes, and 3) At a frequency defined by their organization
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 thereafter.
Awareness and Training (PR.AT): The AWS Certifications, Customer Responsibility See PR.AT-1 PS-7: AWS customers are responsible for: 1) Establishing
organization’s personnel and partners are • COBIT 5 APO07.03, APO10.04, APO10.05 personnel security requirements including security roles and
provided cybersecurity awareness education PR.AT-3: Third-party stakeholders (e.g., responsibilities for third-party providers, 2) Requiring third-
and are adequately trained to perform their suppliers, customers, partners) understand • ISA 62443-2-1:2009 4.3.2.4.2 party providers to comply with personnel security policies and
information security-related duties and roles & responsibilities procedures established by their organization, 3) Documenting
responsibilities consistent with related • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 personnel security requirements, 4) Requiring third-party
policies, procedures, and agreements. providers to notify organization-defined personnel or roles of
Awareness and Training (PR.AT): The
organization’s personnel and partners are
provided cybersecurity awareness education
and are adequately trained to perform their
information security-related duties and
responsibilities consistent with related
policies, procedures, and agreements.
AWS Certifications, Customer Responsibility See PR.AT-1 AT-3: AWS customers are responsible for providing role-based
• COBIT 5 APO07.03 security training to personnel with assigned security roles and
PR.AT-4: Senior executives understand roles responsibilities: 1) Before authorizing access or performing
• ISA 62443-2-1:2009 4.3.2.4.2 assigned duties, 2) When required by information system
& responsibilities
changes, and 3) At a frequency defined by their organization
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, thereafter.
AWS Certifications See PR.AT-1 AT-3: AWS customers are responsible for providing role-based
• COBIT 5 APO07.03 security training to personnel with assigned security roles and
PR.AT-5: Physical and information security responsibilities: 1) Before authorizing access or performing
personnel understand roles & • ISA 62443-2-1:2009 4.3.2.4.2 assigned duties, 2) When required by information system
responsibilities changes, and 3) At a frequency defined by their organization
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, thereafter.
• COBIT 5 APO01.06, BAI02.01, BAI06.01, AWS Certifications, AWS Encryption Services (KMS/EBS/S3/EC- SC-28: AWS customers are responsible for configuring their
DSS06.06 2/RDS/REDSHIFT/DYNAMO DB), Customer Responsibility systems to protect the confidentiality and/or integrity of
organization-defined information at rest in accordance with
PR.DS-1: Data-at-rest is protected • ISA 62443-3-3:2013 SR 3.4, SR 4.1 their system and communications protection policy.
• ISO/IEC 27001:2013 A.8.2.3 AWS offers customers the ability to add an additional layer of
• COBIT 5 APO01.06, DSS06.06 security to data at rest in the cloud, providing scalable and
AWS Certifications, AWS Encryption Services (KMS/EBS/S3/EC- AWS supports SSL/TLS encryption for all of its API Endpoints SC-8: AWS customers are responsible for implementing
2/RDS/REDSHIFT/DYNAMO DB), Customer Responsibility and the ability to create encrypted VPN tunnels to connect the mechanisms to protect the confidentiality and integrity of
• ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, customer environment to AWS. To support customers with transmitted information.
PR.DS-2: Data-in-transit is protected SR 4.2 FIPS 140-2 requirements, the Amazon Virtual Private Cloud
VPN endpoints and SSL terminations in AWS GovCloud (US)
• ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, operate using FIPS 140-2 validated hardware.
A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
AWS Certifications, Customer Responsibility In order to ensure asset management inventory and CM-8: AWS customers are responsible for developing,
• ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1 maintenance procedures are properly executed, AWS assets documenting, reviewing, and updating at an organization-
PR.DS-3: Assets are formally managed • ISA 62443-3-3:2013 SR 4.2 are assigned an owner, tracked and monitored with AWS defined frequency an inventory of system components for
throughout removal, transfers, and proprietary inventory management tools. AWS asset owner their systems. AWS customers are responsible verifying that
Data Security (PR.DS): Information and disposition • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, maintenance procedures are carried out by method of utilizing the inventory: 1) Accurately reflects the current system, 2)
records (data) are managed consistent with A.8.3.2, A.8.3.3, A.11.2.7 a proprietary tool with specified checks that must be Includes all components within the authorization boundary, 3)
the organization’s risk strategy to protect • COBIT 5 APO13.01 completed according to the documented maintenance Is at the level of granularity deemed necessary for tracking and
the confidentiality, integrity, and availability AWS Reference Architectures & Best Practices, Customer AWS maintains a capacity planning model to assess AU-4: AWS customers are responsible for allocating audit
of information. • ISA 62443-3-3:2013 SR 7.1, SR 7.2 Responsibility infrastructure usage and demands at least monthly, and record storage capacity in accordance with the audit record
PR.DS-4: Adequate capacity to ensure usually more frequently (for example, weekly). In addition, the storage requirements defined in their audit and accountability
availability is maintained AWS capacity planning model supports planning for future policy.
• ISO/IEC 27001:2013 A.12.3.1
demands based upon current resources and forecasted
• ISA
NIST62443-3-3:2013
SP 800-53 Rev. SR 5.2 CP-2, SC-5
4 AU-4, AWS Certifications, AWS Reference Architectures & Best requirements.
AWS treats all Customer content and associated assets as CP-2:
AC-4: AWS
AWS customers
customers are
are responsible
responsible for
for developing
configuring atheir
Practices, Customer Responsibility Critical information. AWS services are content agnostic, in that systems and all interconnected systems to enforce their
• ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, they offer the same high level of security to all customers, approved information flow policies. This can be accomplished
PR.DS-5: Protections against data leaks are
A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, regardless of the type of content being stored. We are vigilant through configuration of Amazon Virtual Private Cloud
implemented A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, about our customers' security and have implemented (Amazon VPC) network Access Control Lists (ACL) for
A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, sophisticated technical and physical measures against controlling inbound/outbound traffic at the subnet level and
A.14.1.2,
SR 3.8 A.14.1.3 unauthorized access. AWS has no insight as to what type of Amazon VPC security groups for controlling traffic at the
PR.DS-6: Integrity checking mechanisms are AWS Certifications, AWS Resource Tagging, AWS Config, AWS AWS treats all Customer content and associated assets as SI-7: AWS customers are responsible for employing integrity
used to verify software, firmware, and • ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, Config Rules, AWS Cloud Formation, AWS CloudTrail, AWS Critical information. AWS services are content agnostic, in that verification tools to monitor and detect unauthorized changes
information integrity A.14.1.2, A.14.1.3 CloudWatch Logs, Customer Responsibility they offer the same high level of security to all customers, to organization-defined software, firmware, and information
• COBIT 5 BAI07.04 regardless of the type of content being stored. We are vigilant within their information system.
PR.DS-7: The development and testing AWS VPC, Security Groups, ACL's/Customer Responsibility The customer controls the creation and separation of CM-2: AWS customers are responsible for developing,
environment(s) are separate from the • ISO/IEC 27001:2013 A.12.1.4 development and test environments from production. documenting, and maintaining under configuration control a
production environment current baseline configuration of their systems.
• NIST SP 800-53 Rev. 4 CM-2
• COBIT 5 BAI10.01, BAI10.02, BAI10.03,
BAI10.05 AWS Certifications, AWS Resource Tagging, AWS Config, AWS FedRAMP and ISO 27001 certifications document in detail the CM-2: AWS customers are responsible for developing,
Config Rules, AWS Cloud Formation, AWS CloudTrail, AWS baseline Configuration Management policies, procedures, documenting, and maintaining under configuration control a
PR.IP-1: A baseline configuration of • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 CloudWatch Logs, Customer Responsibility systems and technologies used by AWS to document and current baseline configuration of their systems.
information technology/industrial control • ISA 62443-3-3:2013 SR 7.6 maintain the configuration of its infrastructure.
systems is created and maintained CM-3: AWS customers are responsible for implementing a
• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, configuration change control process in accordance with their
A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 configuration management policy that includes the following
elements: 1) Determination of the types of changes to the
• ISA 62443-2-1:2009 4.3.4.3.3 AWS Certifications, Customer Responsibility FedRAMP and ISO 27001 certifications document in detail the SA-3: AWS customers are responsible for: 1) Managing their
System Development Lifecycle policies and procedures used systems using an organization-defined System Development
PR.IP-2: A System Development Life Cycle to • ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, by AWS. AWS uses the SDLC documented in NIST SP 800-64 Life Cycle (SDLC) that incorporates information security
manage systems is implemented A.14.2.1, A.14.2.5 rev 2 considerations, 2) Defining and documenting information
security roles and responsibilities throughout the SDLC, 3)
• NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, Identifying
AWS Resource Tagging, AWS Config, AWS Config Rules, AWS FedRAMP and ISO 27001 certifications document in detail the CM-3: AWSindividuals
customershaving information
are responsible for security roles and
implementing a
• ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 Cloud Formation, AWS CloudTrail, AWS CloudWatch & policies and procedures by which AWS Operates, Maintains, configuration change control process in accordance with their
• ISA 62443-3-3:2013 SR 7.6 CloudWatch Logs, Customer Responsibility Controls, Approves, Deploys, Reports, and Monitors all configuration management policy that includes the following
PR.IP-3: Configuration change control
processes are in place changes to its environment and infrastructure. elements: 1) Determination of the types of changes to the
• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, information system that are configuration-controlled, 2)
A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 Review of all proposed configuration-controlled changes to the
information system and approval or disapproval of such
AWS Best Practices & Reference Architectures, AWS S3, EBS FedRAMP and ISO 27001 certifications document in detail the CP-4: AWS customers are responsible for testing their
• COBIT 5 APO13.01 Snapshots, AWS Glacier, Customer Responsibility manner in which AWS Operates, Maintains, Controls, provides contingency plan at an organization-defined frequency using
redundancy for and periodically tests backups and recovery of organization-defined tests to determine the effectiveness of
• ISA 62443-2-1:2009 4.3.4.3.9 information. the plan and the organizational readiness to execute the plan.
PR.IP-4: Backups of information are • ISA 62443-3-3:2013 SR 7.3, SR 7.4 AWS customers are responsible for reviewing the results of
conducted, maintained, and tested contingency plan testing and initiating corrective actions when
periodically • ISO/IEC 27001:2013 A.12.3.1, needed.
A.17.1.2A.17.1.3, A.18.1.3
CP-6: AWS customers are responsible for conducting backups
• NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9 of user-level, system-level, and system documentation
• ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, (including security information) at a frequency defined in their
AWS Certifications FedRAMP and ISO 27001 certifications document in detail the contingency
PE-10, PE-12,planning
PE-13, PE-14.
policy.PE-15, PE-18: Customers
AWS customers are not
are responsible
Information Protection Processes and PR.IP-5: Policy and regulations regarding the 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6 manner in which AWS Operates, Maintains, Controls and responsible
for protectingforthe
these controls as they
confidentiality, will beand
integrity, inherited fromof
availability
Procedures (PR.IP): Security policies (that physical operating environment for provides redundancy and emergency responses for its physical AWS.
address purpose, scope, roles, • ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, backup information at storage locations.
organizational assets are met infrastructure.
responsibilities, management commitment, A.11.2.2, A.11.2.3 Customers are responsible for detailing the manner in which
and coordination among organizational CP-9: AWS provides best practices and reference architectures
AWS Certifications, Customer Responsibility they
FedRAMP and ISO 27001 certifications document in detail the MP-6: Operate,
Customers
to assist Maintain,
customers arein notControl and
responsible
developing, provides
for these
operating, redundancy
controls as and
maintaining,
entities), processes, and procedures are • ISA 62443-2-1:2009 4.3.4.4.4
maintained and used to manage protection manner in which AWS Sanitizes media and destroys data. AWS they will be providing
controlling, inherited from AWS. for and periodically testing
redundancy
PR.IP-6: Data is destroyed according to • ISA 62443-3-3:2013 SR 4.2 uses products and procedures that conform with NIST SP 800- backups and recovery of information stored in their AWS
of information systems and assets.
policy 88. Customers must
infrastructure. It document their Data
is the customer's Security Management
responsibility to make use
• ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, and Data
of this Destruction
information andplans in detail for
to document andthe data
test they store
policies and in
A.8.3.2, A.11.2.7 their AWS infrastructure. AWS provides data encryption, key
procedures.
• COBIT 5 APO11.06, DSS04.05 management, deletion and lifecycle management services for
AWS Certifications, Customer Responsibility FedRAMP and ISO 27001 certifications document in detail the CA-2: AWS customers are responsible for conducting security
• ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, manner and extent to which AWS continually assesses, assessments for their systems. Within this context and in
PR.IP-7: Protection processes are 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, documents, improves and reports protection processes. accordance with their security assessment and authorization
continuously improved 4.4.3.8 policy, AWS customers are responsible for: 1) Developing a
security assessment plan that describes the security controls
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, and control enhancements under assessment, assessment
PR.IP-8: Effectiveness of protection IR-8, PL-2, 27001:2013
• ISO/IEC PM-6 A.16.1.6 procedures used to determine effectiveness, the assessment
AWS Certifications, Customer Responsibility FedRAMP and ISO 27001 certifications document in detail the AC-21: AWS customers are responsible for defining
technologies is shared with appropriate manner and extent to which AWS shares information information sharing circumstances where user discretion is
parties • NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4 regarding the effectiveness of protection technologies with required. AWS customers are responsible for facilitating
AWS Certifications, Customer Responsibility FedRAMP and ISO 27001 certifications document in detail the CP-2: AWS customers are responsible for developing a
PR.IP-9: Response plans (Incident Response • ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 manner in which AWS Incident response and recovery plans contingency plan for their system that: 1) Identifies essential
and Business Continuity) and recovery plans and business continuity plans are managed for all AWS missions and business functions and associated contingency
(Incident Recovery and Disaster Recovery) • ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, infrastructure, vendors and personnel. requirements, 2) Provides recovery objectives, restoration
are in place and managed A.17.1.2 priorities, and metrics, 3) Addresses contingency roles,
• ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
AWS Certifications, Customer Responsibility responsibilities,
FedRAMP and ISO 27001 certifications document in detail the CP-4: AWS customersand assigned individuals
are responsible forwith contact
testing their
• ISA 62443-3-3:2013 SR 3.3 manner in which AWS response and recovery plans are tested contingency plan at an organization-defined frequency using
PR.IP-10: Response and recovery plans are for all AWS infrastructure, vendors and personnel. organization-defined tests to determine the effectiveness of
tested the plan and the organizational readiness to execute the plan.
• ISO/IEC 27001:2013 A.17.1.3
AWS customers are responsible for reviewing the results of
• NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14 AWS Certifications, Customer Responsibility FedRAMP and ISO 27001 certifications document in detail the contingency plan testing
PS-1: AWS customers areand initiatingfor
responsible corrective actions when
developing,
PR.IP-11: Cybersecurity is included in • ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, manner in which Cybersecurity is included for all AWS documenting, maintaining, disseminating, and implementing a
4.3.3.2.3 personnel. personnel security policy along with supporting procedures.
human resources practices (e.g.,
deprovisioning, personnel screening) AWS customers are responsible for reviewing and updating
• ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, the policy and procedures at a frequency defined by their
A.8.1.4
PR.IP-12: A vulnerability management plan • ISO/IEC 27001:2013 A.12.6.1, A.18.2.2 AWS Certifications, Customer Responsibility FedRAMP and ISO 27001 certifications document in detail the organization.
RA-3: AWS customers are responsible for: 1) Conducting an
is developed and implemented manner in which risk and vulnerabilities are assessed, assessment of risk to include the likelihood and magnitude of
• NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2 managed and remediated and reported for the AWS harm from the unauthorized access, use, disclosure,
AWS Certifications, Customer Responsibility FedRAMP and ISO 27001 certifications document in detail the MA-2, MA-3, MA-5: Customers are not responsible for these
PR.MA-1: Maintenance and repair of • ISA 62443-2-1:2009 4.3.3.3.7 manner in which remote maintenance policies for the AWS controls as they will be inherited from AWS.
organizational assets is performed and infrastructure are approved, performed, logged and reviewed
logged in a timely manner, with approved • ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, so as to assure timeliness and use of only approved and Customers have the responsibility to document in detail the
Maintenance (PR.MA): Maintenance and and controlled tools A.11.2.5
repairs of industrial control and information authorized tools. manner in which remote maintenance policies for the AWS
system components is performed consistent • ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, AWS Certifications, AWS IAM, CloudTrail, AWS CloudWatch & FedRAMP and ISO 27001 certifications document in detail the MA-4: infrastructure
Customerstheyaredeploy to insure maintenance
not responsible is approved,
for these controls as
with policies and procedures. PR.MA-2: Remote maintenance of CloudWatch Logs, AWS Config, AWS Config Rules, Customer manner in which all remote maintenance for the AWS they will be inherited from AWS.
4.3.3.6.7, 4.4.4.6.8
organizational assets is approved, logged, Responsibility infrastructure is approved, performed, logged and reviewed so
and performed in a manner that prevents as to prevent unauthorized access. AWS provides a number of services that customers can use
• ISO/IEC 27001:2013 A.11.2.4, A.15.1.1,
unauthorized access such as AWS IAM, CloudTrail, AWS CloudWatch & CloudWatch
A.15.2.1
• COBIT 5 APO11.04 Logs, AWS
AWS Resource Tagging, AWS Config, AWS Config Rules, AWS FedRAMP and ISO 27001 certifications document in detail the AU-1: AWSConfig,
customersAWSare Config Rules tofor
responsible enable all remote
developing,
• ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, Cloud Formation, AWS CloudTrail, AWS CloudWatch & manner in which all audit logs and records for the AWS documenting, maintaining, disseminating, and implementing
PR.PT-1: Audit/log records are determined, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 CloudWatch Logs, Customer Responsibility infrastructure are implemented and reviewed. an audit and accountability policy along with supporting
documented, implemented, and reviewed in • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR procedures. AWS customers are responsible for reviewing and
accordance with policy 2.10, SR 2.11, SR 2.12 updating the policy and procedures at a frequency defined by
their organization.
• ISO/IEC 27001:2013 A.12.4.1, A.12.4.2,
A.12.4.3, A.12.4.4, A.12.7.1 AU-2: AWS customers are responsible for defining auditing
• ISA 62443-3-3:2013 SR 2.3 N/A FedRAMP and ISO 27001 certifications document in detail the MP-2, MP-4, MP-5, MP-7: Customers are not responsible for
manner in which all removable media assets for the AWS these controls as they will be inherited from AWS.
PR.PT-2: Removable media is protected and infrastructure are used and protected.
• ISO/IEC 27001:2013 A.8.2.2, A.8.2.3,
Protective Technology (PR.PT): Technical its use restricted according to policy A.8.3.1, A.8.3.3, A.11.2.9 Customers are not permitted direct access to any physical
security solutions are managed to ensure media within their AWS infrastructure. Should customers
the security and resilience of systems and 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, chooseAWSto load data orare configurations
assets, consistent with related policies,
• NIST SP 4.3.3.6.4,
4.3.3.6.3, 800-53 Rev. 4 MP-2,4.3.3.6.6,
4.3.3.6.5, MP-4, MP-5, AWS Certifications, AWS IAM, Customer Responsibility FedRAMP and ISO 27001 certifications document in detail the AC-3: customers responsible from AWS onto their
for configuring
procedures, and agreements. 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, manner in which the principle of least privilege is systems to enforce logical access based on approved
PR.PT-3: Access to systems and assets is implemented to control access to systems and assets for the authorizations and in accordance with their access control
4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
controlled, incorporating the principle of AWS infrastructure. policy.
least functionality • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3,
SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9,
SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR CM-7: AWS customers are responsible for configuring their
•2.2,
COBIT 5 DSS05.02,
SR 2.3, SR 2.4, SRAPO13.01
2.5, SR 2.6, SR 2.7 system to provide only essential capabilities and to prohibit or
AWS Certifications, AWS VPC, Security Groups, ACL's, VPC FedRAMP and ISO 27001 certifications document in detail the AC-4: AWS customers are responsible for configuring their
• ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, Flowlogs, Customer Responsibility manner in which both the communications and control systems and all interconnected systems to enforce their
PR.PT-4: Communications and control SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, networks for the AWS infrastructure are isolated and approved information flow policies. This can be accomplished
networks are protected SR 7.6 protected. through configuration of Amazon Virtual Private Cloud
(Amazon VPC) network Access Control Lists (ACL) for
• ISO/IEC 27001:2013 A.13.1.1, A.13.2.1 controlling inbound/outbound traffic at the subnet level and
Amazon VPC security groups for controlling traffic at the
• COBIT 5 DSS03.01
DE.AE-1: A baseline of network operations AWS Cloudwatch, CloudWatch Logs, CloudTrail, VPC Flowlogs, Anomalies and events detection are capabilities for which the AC-4: AWS customers are responsible for configuring their
• ISA 62443-2-1:2009 4.4.3.3 Customer ResponsibilityE239 customer is responsible. While AWS manages security of the systems and all interconnected systems to enforce their
and expected data flows for users and
systems is established and managed cloud, security in the cloud is the responsibility of the approved information flow policies. This can be accomplished
• NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, customer. Customers retain control of what security they through configuration of Amazon Virtual Private Cloud
•SI-4
COBIT 5 DSS03.01 AWS Cloudwatch, CloudWatch Logs, CloudTrail, VPC Flowlogs, choose to implement to protect their own content, platform, AC-4:
(Amazon AWS customers
VPC) networkare responsible
Access Controlfor reviewing
Lists (ACL) forand
Customer Responsibility applications, systems and networks, no differently than they analyzing
controllingaudit records at an organization-defined
inbound/outbound traffic at the subnetfrequencylevel and
DE.AE-2: Detected events are analyzed to would for applications in an on-site datacenter. for indications
Amazon of organization-defined
VPC security groups for controlling inappropriate
traffic at theor
• ISA 62443-2-1:2009 4.4.3.3
understand attack targets and methods unusual
instanceactivity
level. and reporting these findings to organization-
Anomalies and Events (DE.AE): Anomalous
activity is detected in a timely manner and • NIST SP 800-E239 AC-4, CA-3, CM-2, SI-4 AWS utilizes a wide variety of automated monitoring systems defined personnel or roles in accordance with their audit and
• ISA 62443-3-3:2013 SR 6.1 designed to detect unusual or unauthorized activities and accountability
CA-3: AWS policy. are
the potential impact of events is DE.AE-3: Event data are aggregated and AWS Cloudwatch, CloudWatch Logs, CloudTrail, VPC Flowlogs, AU-6: AWS customers
customers are responsible
responsible for for documenting,
reviewing and
understood. correlated from multiple sources and conditions at ingress and egress communication points of its authorizing, reviewing,
records and at anupdating Interconnection Security
• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR- Customer Responsibility infrastructure. These tools monitor server and network usage,
analyzing
Agreements
audit
(ISAs)
organization-defined
for connections between
frequency
their system
sensors •5, COBIT 5 APO12.06
IR-8, SI-4 for indications of organization-defined inappropriate or and
Customer Responsibility port scanning activities, application usage, and unauthorized CP-2:
other AWS
systems customers
that include are responsible
the following forinformation
developing afor each
DE.AE-4: Impact of events is determined intrusion attempts. The tools have the ability to set custom contingency
connection: 1) plan for their
Interface system that: 1)
characteristics, 2)Identifies
Security essential
• NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI
•-4 COBIT 5 APO12.06 performance metrics thresholds for unusual activity and missions and business
requirements, and 3) The functions
natureand associated
of the information contingency
AWS Best Practices, AWS Reference Architectures, AWS alarms are configured to automatically notify operations and IR-4: AWS customers
communicated. are responsible
AWS customers for implementing
are responsible an
for reviewing
DE.AE-5: Incident alert thresholds are • ISA 62443-2-1:2009 4.2.3.10 Cloudwatch, CloudWatch Logs, CloudTrail, VPC Flowlogs, management personnel when early warning thresholds are incident handling
and updating ISAscapability for securitydefined
with at a frequency incidents that includes
by their security
established Customer Responsibility crossed on key operational metrics. Responses are performed preparation,
assessment and detection and analysis,
authorization policy.containment, eradication,
• NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8 according to incident response processes and procedures. and recovery in accordance with their incident response
AWS Best Practices, AWS Reference Architectures, AWS Policies, procedures and mechanisms to monitor and protect AC-2:
CM-2:AWSAWScustomers
customersare areresponsible
responsiblefor formanaging
developing, accounts
• COBIT 5 DSS05.07 Config, AWS ConfigRulesAWS Cloudwatch, CloudWatch Logs, the AWS network environment are in place. AWS security associated withand their applications hosted on AWS. AWS
DE.CM-1: The network is monitored to documenting, maintaining under configuration control a
CloudTrail, VPC Flowlogs, Customer Responsibility controls are reviewed by independent external auditors during customers are responsible
current baseline configuration for properly using AWS Identity and
of their systems.
detect potential cybersecurity events • ISA 62443-3-3:2013 SR 6.2 audits for SOC, PCI DSS, ISO 27001 and FedRAMP compliance. Access Management (IAM) to create and manage user
accounts
SI-4: AWSand to enforce
customers are access withinfor:
responsible their
1) Amazon
Monitoring Elastic
their
• ISA
NIST62443-2-1:2009
SP 800-53 Rev. 4.3.3.3.8
4 AC-2, AU-12, CA-7, Compute
DE.CM-2: The physical environment is AWS Certifications The AWS Incident response program (detection, investigation CA-7: AWSCloud
information customers
system (Amazon
to are EC2) instances
responsible
detect: a) Attacksforand all applications
developing
and indicators a of
monitored to detect potential cybersecurity and response to incidents) has been developed in alignment continuous monitoring
potential attacks strategy with
in accordance and implementing
organization-defined a
• NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6,
events with ISO 27001 standards. The security and monitoring continuous monitoringand
monitoring objectives program in accordance
b) Unauthorized local,with their and
network,
PE-20 AWS has established controls to address the threat of AC-2: AWS customers2)are responsible for managing
AWS Certifications, Customer Responsibility remote connections; Identifying unauthorized useaccounts
of the
DE.CM-3: Personnel activity is monitored to • ISO/IEC 27001:2013 A.12.4.1 inappropriate insider access. All certifications and third-party associated
informationwith system theirthrough
applications hosted on AWS.techniques
organization-defined AWS
detect potential cybersecurity events attestations evaluate logical access preventative and detective customers
and methods; are 3) responsible
Deployingfor properly devices:
monitoring using AWS Identity and
a) Strategically
• NIST SP 800-53 Rev. 4 AC-2, AU-12, AU- controls. In addition, periodic risk assessments focus on how Access Management
within the information (IAM)
systemto create andorganization-
to collect manage user
13, CA-7, CM-10, CM-11 AWS Best Practices, AWS Reference Architectures, AWS SI-3: AWS customers
determined essential are responsible
information andfor:
b) At1) ad
Implementing
hoc locations
• COBIT 5 DSS05.01 Config, AWS ConfigRulesAWS Cloudwatch, CloudWatch Logs, malicious
within thecodesystem protection
to track mechanisms
specific typesatofinformation
transactionssystemof
CloudTrail, VPC Flowlogs, Customer Responsibility entry and
interest toexit
their points to detect4)and
organization; eradicateinformation
Protecting malicious code;
DE.CM-4: Malicious code is detected • ISA 62443-2-1:2009 4.3.4.3.8 2) Updating
obtained from malicious code protection
intrusion-monitoring mechanisms
tools whenever
from unauthorized
• ISA 62443-3-3:2013 SR 3.2 new releases are available in accordance with organizational
access, modification, and deletion; 5) Heightening the level of
configuration management policy and procedures;
information system monitoring activity whenever there is an 3)
• ISO/IEC 27001:2013 A.12.2.1 Configuring
indication ofmalicious
increasedcode protection
risk to mechanisms
organizational operationsto: a)and
• ISA 62443-3-3:2013 SR 2.4 Perform periodic scans
assets, individuals, otheroforganizations,
the information or system
the Nation at anbased on
AWS Mobile Services, Customer Responsibility SC-18: AWS customers are responsible for defining acceptable
DE.CM-5: Unauthorized mobile code is law enforcement
and unacceptableinformation,
mobile code,intelligence
establishinginformation, or
usage restrictions
• ISO/IEC 27001:2013 A.12.5.1 other credible sources of information; 6) Obtaining legal
detected and implementation guidance for acceptable mobile code, and
opinion withmonitoring,
authorizing, regard to information
and system
controlling the monitoring
use of mobile
• NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44 activities in accordance with applicable federal laws, Executive
AWS Certifications, Customer Responsibility AWS has established controls to address the threat of CA-7: AWS customers are responsible for
Orders, directives, policies, or regulations; and 7) Providingdeveloping a
inappropriate access. All certifications and third-party continuous monitoring
organization-defined strategy and
information implementing
system monitoring a
• COBIT 5 APO07.06 attestations evaluate logical access preventative and detective continuous
informationmonitoring program in accordance
to organization-defined personnel with their
or roles as
DE.CM-6: External service provider activity controls. In addition, periodic risk assessments focus on how security
needed or assessment
in accordance and authorization policy that defines: 1)
with an organization-defined
• ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 access is controlled and monitored. Metrics to be monitored, 2) Frequencies for monitoring and
is monitored to detect potential frequency.
cybersecurity events reporting, and 3) Personnel or roles responsible for conducting
• NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, and receiving
SA-9, SI-4 Customers arecontinuous
responsiblemonitoring analysis
for establishing andinformation.
managing a
Pursuant
baseline of tonetwork
this continuous
operations monitoring program,
and expected dataAWSflows.
customers
Customers are mayresponsible
leverage AWS for:provided
1) Establishing
services and configuring
and features
AWS Best Practices, AWS Reference Architectures, AWS monitoring
AU-12: for defined metrics, 2) Monitoring and conducting
Security Continuous Monitoring (DE.CM): such as AWS
Amazon customers
CloudWatch,are responsible for configuring
Amazon CloudWatch Logs,their
AWS
Config, AWS ConfigRulesAWS Cloudwatch, CloudWatch Logs, systems
CloudTrail,to:and
1) Provide
Amazonaudit VPC record
Flow Logs;generation
or theycapabilities
may use 3rdfor
The information system and assets are CloudTrail, VPC Flowlogs, Customer Responsibility the auditable events
monitored at discrete intervals to identify party or custom toolsdefined in AU-2a for all system
and technologies.
components where audit capabilities are deployed/required
cybersecurity events and verify the based on the audit and accountability policy, 2) Allow
effectiveness of protective measures. organization-defined personnel or roles to select which
auditable events are to be audited by specific components,
and 3) Generate audit records for the events defined in AU-2d
with the content defined in AU-3.
CA-7: AWS customers are responsible for developing a

continuous monitoring strategy and implementing a
continuous monitoring program in accordance with their
security assessment and authorization policy that defines: 1)
Metrics to be monitored, 2) Frequencies for monitoring and
DE.CM-7: Monitoring for unauthorized reporting, and 3) Personnel or roles responsible for conducting
personnel, connections, devices, and • NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, and receiving continuous monitoring analysis information.
CM-8, PE-3, PE-6, PE-20, SI-4 Pursuant to this continuous monitoring program, AWS
software is performed
customers are responsible for: 1) Establishing and configuring
monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3)
Conducting ongoing security control assessments, 4)
Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing
security-related information generated by assessments and
monitoring, 5) Taking appropriate response actions to address
the results of the analysis of security-related information, and
6) Reporting the security status of their organization and the
information system to the organization-defined personnel or
roles at the organization-defined frequency.
CM-3: AWS customers are responsible for implementing a

configuration change control process in accordance with their
• COBIT 5 BAI03.10 configuration management policy that includes the following
AWS Certifications, Customer Responsibility AWS Security regularly scans all Internet facing service RA-5: AWS customers are responsible for: 1) Scanning for
• ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 endpoint IP addresses for vulnerabilities (these scans do not vulnerabilities in their information system and hosted
DE.CM-8: Vulnerability scans are performed include customer instances). AWS Security notifies the applications at an organization-defined frequency and/or
• ISO/IEC 27001:2013 A.12.6.1 appropriate parties to remediate any identified vulnerabilities. randomly in accordance with their organization-defined
In addition, external vulnerability threat assessments are process and when new vulnerabilities potentially affecting the
• NIST SP 800-53 Rev. 4 RA-5 AWS Certifications, Customer Responsibility performed
AWS regularly by aindependent
has implemented security firms.
formal, documented Findings CA-2:
incident system/applications
AWS customersareareidentified andfor
responsible reported; 2) Employing
conducting security
• COBIT 5 DSS05.01 response policy and program (detection, investigation and assessments for their systems. Within this context and in
DE.DP-1: Roles and responsibilities for response to incidents) in alignment with ISO 27001 standards. accordance with their security assessment and authorization
detection are well defined to ensure • ISA 62443-2-1:2009 4.4.3.1 The policy addresses purpose, scope, roles, responsibilities, policy, AWS customers are responsible for: 1) Developing a
accountability and management commitment. AWS SOC reports provide security assessment plan that describes the security controls
• ISO/IEC 27001:2013 A.6.1.1 additional details on controls in place to restrict system access. and control enhancements under assessment, assessment
procedures used to determine effectiveness, the assessment
AWS Certifications, Customer Responsibility Refer to AWS Overview of Security Processes for additional CA-2: AWS customers are responsible for conducting security
DE.DP-2: Detection activities comply with all • ISO/IEC 27001:2013 A.18.1.4 details - available at http://aws.amazon.com/security. assessments for their systems. Within this context and in
applicable requirements accordance with their security assessment and authorization
• NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14, policy, AWS customers are responsible for: 1) Developing a
AWS Certifications, Customer Responsibility CA-2: AWS customers are responsible for conducting security
• ISA 62443-2-1:2009 4.4.3.2 assessments for their systems. Within this context and in
Detection Processes (DE.DP): Detection • ISA 62443-3-3:2013 SR 3.3 accordance with their security assessment and authorization
processes and procedures are maintained DE.DP-3: Detection processes are tested policy, AWS customers are responsible for: 1) Developing a
and tested to ensure timely and adequate • ISO/IEC 27001:2013 A.14.2.8 security assessment plan that describes the security controls
awareness of anomalous events. and control enhancements under assessment, assessment
• NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, procedures used to determine effectiveness, the assessment
AWS Certifications, Customer Responsibility AU-6: AWS customers are responsible for reviewing and
• ISA 62443-2-1:2009 4.3.4.5.9 analyzing audit records at an organization-defined frequency
• ISA 62443-3-3:2013 SR 6.1 for indications of organization-defined inappropriate or
DE.DP-4: Event detection information is
communicated to appropriate parties unusual activity and reporting these findings to organization-
• ISO/IEC 27001:2013 A.16.1.2 defined personnel or roles in accordance with their audit and
accountability policy.
• NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7,
AWS Certifications, Customer Responsibility CA-2: AWS customers are responsible for conducting security
• ISA 62443-2-1:2009 4.4.3.4 assessments for their systems. Within this context and in
DE.DP-5: Detection processes are accordance with their security assessment and authorization
continuously improved • ISO/IEC 27001:2013 A.16.1.6 policy, AWS customers are responsible for: 1) Developing a
security assessment plan that describes the security controls
• NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, and control enhancements under assessment, assessment
• CCS CSC 18
• COBIT 5 BAI01.10 AWS Certifications, Customer Responsibility AWS has implemented a formal, documented incident CP-2: AWS customers are responsible for developing a
Response Planning (RS.RP): Response response policy and program. The policy addresses purpose, contingency plan for their system that: 1) Identifies essential
processes and procedures are executed and RS.RP-1: Response plan is executed during • ISA 62443-2-1:2009 4.3.4.5.1 scope, roles, responsibilities, and management commitment. missions and business functions and associated contingency
maintained, to ensure timely response to or after an event requirements, 2) Provides recovery objectives, restoration
detected cybersecurity events. • ISO/IEC 27001:2013 A.16.1.5 AWS utilizes a three-phased approach to manage incidents: priorities, and metrics, 3) Addresses contingency roles,
4.3.4.5.4
• NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, 1. Activation and Notification Phase: Incidents for AWS begin information, 4) Addresses maintaining essential missions and
RS.CO-1: Personnel know their roles and IR-8
AWS Certifications, Customer Responsibility with the detection of an event. Events originate from several CP-2: AWS
business customers
functions are responsible
despite an information for developing a
system disruption,
order of operations when a response is • ISO/IEC 27001:2013 A.6.1.1, A.16.1.1 sources such as: contingency
compromise,plan for their
or failure, 5) system
Addresses that: 1) Identifies
eventual, essential
full information
needed • Metrics and alarms - AWS maintains an exceptional missions and business
system restoration functions
without and associated
deterioration of the contingency
security
• ISA
NIST62443-2-1:2009
SP 800-53 Rev. 4.3.4.5.5
4 CP-2, CP-3, IR-3, IR- situational awareness capability, most issues are rapidly requirements, 2) Provides
safeguards originally plannedrecovery objectives, restoration
and implemented, and 6) Is
AWS Certifications, Customer Responsibility AU-6: AWS customers are responsible for
detected from 24x7x365 monitoring and alarming of real time reviewed and approved by organization-defined personnel or reviewing and
RS.CO-2: Events are reported consistent • ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 metrics and service dashboards. The majority of incidents are analyzing audit records
roles in accordance withatthean contingency
organization-defined frequency
planning policy.
with established criteria detected in this manner. AWS utilizes early indicator alarms to for indications of organization-defined inappropriate or
• NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8 proactively identify issues that may ultimately impact unusual activity
CP-10: AWS and reporting
customers these findings
are responsible to organization-
for providing for the
AWS Certifications, Customer Responsibility Customers. CA-2:
recovery and reconstitution of the information systemsecurity
AWS customers are responsible for conducting to a
RS.CO-3: Information is shared consistent • ISO/IEC 27001:2013 A.16.1.2 assessments for their systems. Within this context and in
• Trouble tickets entered by an AWS employee. known state after a disruption, compromise, or failure.
with response plans accordance with their security assessment and authorization
• NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, • Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call policy,
IR-4: AWS customers are responsible for implementing ana
AWS customers are responsible for: 1) Developing
•IR-4,
ISAIR-8,
62443-2-1:2009 4.3.4.5.5
PE-6, RA-5, SI-4 AWS Certifications, Customer Responsibility CP-2: AWS customers are responsible for developing a
RS.CO-4: Coordination with stakeholders support engineer use Event Management Tool system to start incident handling capability for security incidents that includes
occurs consistent with response plans an engagement and page relevant program resolvers (for contingency
preparation, plan for their
detection andsystem
analysis,that: 1) Identifieseradication,
containment, essential
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
AWS Certifications, Customer Responsibility example, Security team). The resolvers will perform an analysis missions
and
PM-15:
and business
recovery functions
in accordance
AWS customers are with
and
theirassociated
responsible incident contingency
response
for maintaining
of the incident to determine if additional resolvers should be policy.
ongoingIncontract
addition,withAWSsecurity
customersgroupsareandresponsible
associationsfor to; 1)
engaged and to determine the approximate root cause. coordinating incident handling activities with
Facilitate ongoing security education and training for contingency
Communications (RS.CO): Response planning activities;
organizational incorporating
personnel, lessons
2) Maintain learned
currency from ongoing
with
activities are coordinated with internal and 2. Recovery Phase - The relevant resolvers will perform break incident handling
recommended activities
security into incident
practices, response
techniques, and procedures,
external stakeholders, as appropriate, to fix to address the incident. After addressing troubleshooting, technologies,
training, and testing/exercises;
and 3) Share current andsecurity-related
implementing the resulting
include external support from law break fix and affected components, the call leader will assign information
changes accordingly.
including threats, vulnerabilities, and incidents.
enforcement agencies. follow-up documentation and follow-up actions and end the
call engagement. IR-8: AWS
SI-5: AWS customers
customers are are responsible
responsible for: for developing
1) Receivingan
Incident Response
information systemPlan (IRP)alerts,
security that: advisories, and directives
3. Reconstitution Phase – The call leader will declare the 1) Provides
from their organization
organization-defined with aorganizations
external roadmap for on an
recovery phase complete after the relevant fix activities have ongoing
implementing
basis, its incident response
2) Generating internalcapability, 2) Describes the
security alerts,
RS.CO-5: Voluntary information sharing been addressed. The post mortem and deep root cause structure and
advisories, andorganization
directives asofdeemed
the incident response
necessary, 3) capability,
occurs with external stakeholders to achieve • NIST SP 800-53 Rev. 4 PM-15, SI-5 analysis of the incident will be assigned to the relevant team. Disseminating
3) Provides a high-level approach
security alerts, for howand
advisories, thedirectives
incident to
broader cybersecurity situational awareness The results of the post mortem will be reviewed by relevant response capability fits
organization-defined into the overall
personnel, organization, 4)
roles, organizational Meets
elements
senior management and actions, such as design changes. will and/or
the unique requirements
external of theand
organizations, organization,
4) Implementing which security
relate to
be captured in a Correction of Errors (COE) document and mission, size,
directives structure, and
in accordance withfunctions,
established 5) Defines
time frames reportable
or
tracked to completion. incidents,the
notifying 6) Provides metrics for measuring
issuing organization of the degree theof incident
response capability within the organization, 7) Defines the
noncompliance.
To ensure the effectiveness of the AWS Incident Management resources and management support needed to effectively
plan, AWS conducts incident response testing. This testing maintain and mature an incident response capability, and 8) Is
provides excellent coverage for the discovery of previously reviewed and approved by organization-defined personnel or
unknown defects and failure modes. In addition, it allows the roles.
Amazon Security and Service teams to test the systems for
potential customer impact and further prepare staff to handle Customers are responsible for developing their response plans
incidents such as detection and analysis, containment, and for executing them during and after a cybersecurity event.
• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, eradication, and recovery, and post-incident activities.
AWS Best Practices, AWS Reference Architectures, AWS AU-6: AWS customers are responsible for reviewing and
4.3.4.5.8 Config, AWS ConfigRulesAWS Cloudwatch, CloudWatch Logs, analyzing audit records at an organization-defined frequency
• ISA 62443-3-3:2013 SR 6.1 CloudTrail, VPC Flowlogs, Customer Responsibility for indications of organization-defined inappropriate or
RS.AN-1: Notifications from detection
systems are investigated unusual activity and reporting these findings to organization-
• ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, defined personnel or roles in accordance with their audit and
A.16.1.5 accountability policy.
4.3.4.5.8 AWS Certifications, Customer Responsibility CP-2: AWS customers are responsible for developing a
Analysis (RS.AN): Analysis is conducted to RS.AN-2: The impact of the incident is contingency plan for their system that: 1) Identifies essential
ensure adequate response and support understood • ISO/IEC 27001:2013 A.16.1.6 missions and business functions and associated contingency
recovery activities. requirements, 2) Provides recovery objectives, restoration
2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1 AWS Certifications, Customer Responsibility AU-7: AWS customers are responsible for implementing and
RS.AN-3: Forensics are performed configuring an audit reduction and report generation
• ISO/IEC 27001:2013 A.16.1.7 capability that: 1) Supports on-demand audit review, analysis,
• ISA 62443-2-1:2009 4.3.4.5.6 and reporting requirements and after-the-fact investigations
AWS Certifications, Customer Responsibility CP-2: AWS customers are responsible for developing a
RS.AN-4: Incidents are categorized • ISO/IEC 27001:2013 A.16.1.4 contingency plan for their system that: 1) Identifies essential
consistent with response plans missions and business functions and associated contingency
requirements, 2) Provides recovery objectives, restoration
• NIST SP 800-53 Rev. 4.3.4.5.6
ISA 62443-2-1:2009 4 CP-2, IR-4, IR-5, IR-8
AWS Certifications, Customer Responsibility IR-4: AWS customers are responsible for implementing an
• ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 incident handling capability for security incidents that includes
RS.MI-1: Incidents are contained preparation, detection and analysis, containment, eradication,
• ISO/IEC 27001:2013 A.16.1.5 and recovery in accordance with their incident response
Mitigation (RS.MI): Activities are performed policy. In addition, AWS customers are responsible for
NIST62443-2-1:2009
• ISA SP 800-53 Rev. 4.3.4.5.6,
4 IR-4 4.3.4.5.10 coordinating incident handling activities with contingency
to prevent expansion of an event, mitigate AWS Certifications, Customer Responsibility
its effects, and eradicate the incident. planning activities; incorporating lessons learned from ongoing
RS.MI-2: Incidents are mitigated • ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 incident handling activities into incident response procedures,
training, and testing/exercises; and implementing the resulting
•• ISO/IEC
NIST SP 27001:2013
800-53 Rev. 4A.12.6.1
IR-4
AWS Certifications, Customer Responsibility changes accordingly.
RS.MI-3: Newly identified vulnerabilities are
mitigated or documented as accepted risks • NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5 CA-7: AWS customers are responsible for developing a
AWS Certifications, Customer Responsibility AWS Incident response management includes post mortem CP-2: AWS customers are responsible for developing a
and deep root cause analysis. Results are reviewed by relevant contingency plan for their system that: 1) Identifies essential
• COBIT 5 BAI01.13 senior management and actions, such as design changes, are missions and business functions and associated contingency
captured in a Correction of Errors (COE) document and tracked requirements, 2) Provides recovery objectives, restoration
• ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 to completion. priorities, and metrics, 3) Addresses contingency roles,
RS.IM-1: Response plans incorporate
lessons learned responsibilities, and assigned individuals with contact
• ISO/IEC 27001:2013 A.16.1.6 information, 4) Addresses maintaining essential missions and
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 compromise, or failure, 5) Addresses eventual, full information
AWS Certifications, Customer Responsibility The AWS Incident Response plan is tested regularly and CP-2: AWS customers are responsible for developing a
updated as needed to ensure its effectiveness. The Incident contingency plan for their system that: 1) Identifies essential
Management planning, testing, and test results are reviewed missions and business functions and associated contingency
by third party auditors. requirements, 2) Provides recovery objectives, restoration
Improvements (RS.IM): Organizational safeguards originally planned and implemented, and 6) Is
response activities are improved by reviewed and approved by organization-defined personnel or
incorporating lessons learned from current roles in accordance with the contingency planning policy.
and previous detection/response activities.
IR-4: AWS customers are responsible for implementing an
incident handling capability for security incidents that includes
RS.IM-2: Response strategies are updated • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 preparation, detection and analysis, containment, eradication,
and recovery in accordance with their incident response
policy. In addition, AWS customers are responsible for
coordinating incident handling activities with contingency
planning activities; incorporating lessons learned from ongoing
incident handling activities into incident response procedures,
IR-8: AWS customers are responsible for developing an

Incident Response Plan (IRP) that:
1) Provides their organization with a roadmap for
implementing its incident response capability, 2) Describes the
structure and organization of the incident response capability,
3) Provides a high-level approach for how the incident
response capability fits into the overall organization, 4) Meets
the unique requirements of the organization, which relate to
mission, size, structure, and functions, 5) Defines reportable
• CCS CSC 8
Recovery Planning (RC.RP): Recovery AWS Certifications, Customer Responsibility The three categories comprising the “Recover” function- CP-2: AWS customers are responsible for developing a
processes and procedures are executed and • COBIT 5 DSS02.05, DSS03.04 Recovery Planning, Improvements, and Communications- are contingency plan for their system that: 1) Identifies essential
maintained to ensure timely restoration of RC.RP-1: Recovery plan is executed during capabilities for which the customer is responsible. While AWS missions and business functions and associated contingency
or after an event manages security of the cloud, security in the cloud is the requirements, 2) Provides recovery objectives, restoration
systems or assets affected by cybersecurity • ISO/IEC 27001:2013 A.16.1.5
events. responsibility of the customer. Customers retain control of priorities, and metrics, 3) Addresses contingency roles,
•• COBIT
NIST SP5 800-53
BAI05.07
Rev. 4 CP-10, IR-4, IR-8 what security they choose to implement to protect their own responsibilities, and assigned individuals with contact
AWS Certifications, Customer Responsibility
content, platform, applications, systems and networks, no information, 4) Addresses maintaining essential missions and
Improvements (RC.IM): Recovery planning RC.IM-1: Recovery plans incorporate lessons • ISA 62443-2-1 4.4.3.4 differently than they would for applications in an on-site business functions despite an information system disruption,
and processes are improved by learned
datacenter. compromise, or failure, 5) Addresses eventual, full information
incorporating lessons learned into future
activities. •• NIST SP5 800-53
COBIT Rev. 4 CP-2, IR-4, IR-8
BAI07.08 AWS Certifications, Customer Responsibility system restoration without deterioration of the security
RC.IM-2: Recovery strategies are updated safeguards originally planned and implemented, and 6) Is
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 reviewed and approved by organization-defined personnel or
RC.CO-1: Public relations are managed • COBIT 5 EDM03.02 Customer Responsibility roles in accordance with the contingency planning policy.
Communications (RC.CO): Restoration Customer Responsibility
activities are coordinated with internal and RC.CO-2: Reputation after an event is • COBIT 5 MEA03.02 CP-10: AWS customers are responsible for providing for the
external parties, such as coordinating repaired recovery and reconstitution of the information system to a
centers, Internet Service Providers, owners AWS Certifications, Customer Responsibility known state after a disruption, compromise, or failure.
of attacking systems, victims, other CSIRTs, RC.CO-3: Recovery activities are
and vendors. communicated to internal stakeholders and • NIST SP 800-53 Rev. 4 CP-2, IR-4
executive and management teams IR-4: AWS customers are responsible for implementing an
incident handling capability for security incidents that includes
preparation, detection and analysis, containment, eradication,
and recovery in accordance with their incident response
policy. In addition, AWS customers are responsible for
coordinating incident handling activities with contingency
planning activities; incorporating lessons learned from ongoing
incident handling activities into incident response procedures,
IR-8: AWS customers are responsible for developing an

Incident Response Plan (IRP) that:
1) Provides their organization with a roadmap for
implementing its incident response capability, 2) Describes the
structure and organization of the incident response capability,
3) Provides a high-level approach for how the incident
response capability fits into the overall organization, 4) Meets
the unique requirements of the organization, which relate to
mission, size, structure, and functions, 5) Defines reportable
incidents, 6) Provides metrics for measuring the incident
response capability within the organization, 7) Defines the
resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is
roles.
Developing and implementing recovery plans and strategies

are required for agencies under the Federal Information
Security Modernization Act, which states that each agency
should develop, document, and implement an agency-wide
information security program that includes “procedures for
detecting, reporting, and responding to security incidents.”
Further, DHS’s Continuous Diagnostics and Mitigation (CDM)
Program Phase 3: Boundary Protection and Event
Management for Managing the Security Lifecycle also includes
capabilities such as event response and planning that agencies
are required to implement. Further, actions involving public
relations, reputation management, and communicating
recovery activities are respective to how the organization
handles the event that impacted their environment, which in
this case is the agency customer.

AWS Services and Customer Responsibility Matrix For Alignment To The CSF.4dc4a98c

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

AWS Services and Customer Responsibility Matrix For Alignment To The CSF.4dc4a98c

Загружено:

Авторское право:

Доступные форматы

Category Subcategory Informative References AWS Implementation/Enablers/Processes AWS Services and Responsibility Customer Responsibility

Amazon CloudWatch is a web service that provides monitoring

Customers have the responsibility to implement an

RA-2: AWS customers are responsible for: 1) Categorizing their

Customers can leverage Glacier data inventory to show all IT

PM-11: AWS customers are responsible for determining

AWS CloudTrail allows customers to log API or console actions

AWS IAM Policies- Achieve detailed, least-privilege access

AWS IAM Roles- Temporarily delegate access to users or

Governance (ID.GV): The policies,

CA-7: AWS customers are responsible for developing a

CA-8: AWS customers are responsible for conducting

RA-3:AWS customers are responsible for: 1) Conducting an

RA-5: AWS customers are responsible for: 1) Scanning for

SA-5: AWS customers are responsible for: 1) Obtaining

SA-11: AWS customers are responsible for requiring the

SI-2: AWS customers are responsible for: 1) Identifying,

SI-4: AWS customers are responsible for: 1) Monitoring their

SI-5: AWS customers are responsible for: 1) Receiving

Customers can perform security scans on customer managed

PM-9: AWS customers are responsible for developing a risk

SA-14: AWS customers are responsible for identifying critical

Customers can perform security scans on customer managed

PM-9: AWS customers are responsible for developing a risk

SA-14: AWS customers are responsible for identifying critical

Customers can perform security scans on customer managed

Customers can perform security scans on customer managed

PM-11: AWS customers are responsible for determining

The customer can leverage AWS Artifact, which features a

CA-7: AWS customers are responsible for developing a

CM-3: AWS customers are responsible for implementing a

IR-8: AWS customers are responsible for developing an

IR-8: AWS customers are responsible for developing an

Developing and implementing recovery plans and strategies

Вам также может понравиться