Compliance

The key to understanding how to meet security compliance standards on AWS is to first be familiar with the AWS Shared Responsibility model.

If you know what security framework you are targeting, you can start from the AWS Compliance Solution Guides.

AWS Service	Security Documentation	Notes

AWS Service	Security Documentation	Notes
AWS Landing Zone	https://docs.aws.amazon.com/whitepapers/latest/nhs-cloud-security-guidance-using-aws/overall-security-governance---aws-landing-zones.html	Relevant to most of the Principles covered by the Good Practice Guide, a Landing Zone is a solution available from AWS that automatically creates an environment consisting of a set of related AWS accounts configured in such a way as to establish security (and cost-related) guardrails for AWS usage by a wide variety of teams with minimum friction. The environment includes the foundations of identity management, logging and monitoring, governance, security, and network design, the specifics of which may be implemented using decisions made in examining each of the principles covered in the overall security governance document.
AWS Control Tower	https://docs.aws.amazon.com/controltower/latest/userguide/security.html	AWS Control Tower is a well-architected service that can help your organization meet your compliance needs with controls and best practices. Additionally, third-party auditors assess the security and compliance of a number of the services you can use in your landing zone as a part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others. Your compliance responsibility when using AWS Control Tower is determined by the sensitivity of your data, your company’s compliance objectives, and applicable laws and regulations.
AWS Config	https://docs.aws.amazon.com/config/latest/developerguide/security.html Templates for conformance packs (selected few, there are many available). Provide example mappings of controls to implementation.	Included within the Landing Zone solution, this service tracks configuration settings of AWS resources over time against a desired-state baseline, and raises alerts (and optionally triggers remedial action) when changes are detected. The service also enables configuration to be audited, in order to demonstrate compliance (or otherwise) against a baseline. See the AWS Config Developer Guide for a detailed description of how to use it. Recommended best practice guidelines: Leverage tagging for AWS Config, which makes is easier to manage, search for, and filter resources. Confirm your delivery channels have been properly set, and once confirmed, verify that AWS Config is recording properly.
AWS Secrets Manager
AWS CloudTrail
AWS EKS
AWS CloudFormation
AWS S3	https://aws.amazon.com/s3/security/
AWS IAM Identity Center (SSO)
AWS Macie	https://aws.amazon.com/macie/	Optional for the platform. a data security and data privacy service that uses machine learning (ML) and pattern matching to discover and protect your sensitive data.
AWS Managed Prometheus	https://aws.amazon.com/prometheus/
AWS Managed Grafana	https://aws.amazon.com/grafana/

All AWS services are GDPR ready. AWS offers a GDPR-compliant Data Processing Addendum (GDPR DPA), enabling you to comply with GDPR contractual obligations. The AWS GDPR DPA is incorporated into the AWS Service Terms. The DPA applies automatically to all customers globally who require it to comply with the GDPR.

	File	Modified
Labels No labels Preview View	PDF File AWS_GDPR_DPA.pdf	Nov 22, 2022 by Joe Ferris

FedRamp

https://aws.amazon.com/compliance/fedramp/

All of the services we use are in scope of FedRamp. US East / West and GovCloud can leverage PATO JAB authorization.

Security Documentation for Other Tools

Github Actions - security hardening
Terraform - security model
Vanta - automated security and compliance platform.

Digital Sustainability


AWS