Compliance FAQs

General
1. WHAT IS THE BEST WAY TO COMPLETE MY ANNUAL VENDOR/SUPPLIER/DUE-
DILIGENCE QUESTIONNAIRE OF AWS?
In the event that you need assistance to complete a questionnaire to document AWS security and
compliance positions, AWS has a recommended approach designed to provide you with the
resources you need to answer your security and compliance questions in the context of the cloud
and AWS’s business model. The most frequently used resources to complete security and
compliance questionnaires are:

 AWS Artifact – AWS Artifact is your go-to, central resource for compliance-related
information that matters to you. It provides on-demand access to AWS’s security and compliance
reports and select online agreements. The AWS SOC 2 report is particularly helpful for completing
questionnaires because it provides a comprehensive description of the implementation and
operating effectiveness of AWS security controls. Another useful document is the Executive Briefing
within the AWS FedRAMP Partner Package.
 CSA Consensus Assessments Initiative Questionnaire – The CSA Consensus Assessments
Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer and/or
auditor would ask of a cloud provider. It provides a series of security, control, and process questions
which can then be used for a wide range of uses, including cloud provider selection and security
evaluation. This document contains the AWS answers to the CSA questionnaire.
 AWS Risk and Compliance whitepaper – This document addresses AWS-specific
information around general cloud computing compliance questions. There are detailed descriptions
of all AWS Certifications, Programs, Reports, and Third-Party Attestations. 
 AWS Data Center Controls web page – Many questionnaires have an entire section with
questions related to data center physical security. This web page provides you with insight into
some of our physical and environmental controls.
2. WHICH AWS SERVICES AND FEATURES COMPLY WITH COMMON CLOUD SECURITY
AND COMPLIANCE STANDARDS?
AWS Services in Scope provides a list of services that are assessed to comply with common
compliance standards. Unless specifically noted as excluded, features of each of the listed services
are considered in scope of the compliance program and are reviewed and tested as part of the
assessment. Refer to AWS Documentation for the features of an AWS service. 
3. CAN I COMPLY WITH MY REGULATORY REQUIREMENTS ON AWS?
AWS has customers throughout the world and is continually adapting to evolving regulations.
The AWS Compliance Center offers you a central location to research cloud-related regulatory
requirements and how they impact your industry. Select the country you are interested in and the
AWS Compliance Center will display the country’s regulatory position regarding the adoption of
cloud services.  
4. DOES AWS HAVE ANY SUB-PROCESSORS?
AWS may engage the entities listed on the AWS Sub-Processors web page to carry out specific
processing activities on behalf of the customer or data center facility management activities. This
web page also provides customers with the option to subscribe to email notifications if the list of sub-
processors changes.
AWS proactively informs our customers of any subcontractors who have access to customer-owned
content you upload onto AWS, including content that may contain personal data. There are no
subcontractors authorized by AWS to access any customer-owned content that you upload onto
AWS. To monitor subcontractor access year-round, please refer to the AWS Third-Party Access web
page. 
5. CAN YOU PROVIDE ME WITH THE AWS DATA CENTER LOCATIONS FOR MY
BUSINESS CONTINUITY OR DISASTER RECOVERY POLICY?
AWS keeps our data center locations strictly confidential to maintain the security and privacy of
customer data. Locations are disclosed only to AWS employees and contractors who have an
approved business need to be at the facility.

Customers can assess the security and resiliency of the AWS physical infrastructure by considering
all of the security controls that AWS has in place for its data centers. To support customers
evaluating risks related to AWS data centers, AWS provides the AWS Data Center Controls web
page and the AWS SOC 2 report available in AWS Artifact. 
6. WHAT FACTORS ARE IMPORTANT FOR CUSTOMERS TO EVALUATE AS PART OF
THEIR DISASTER RECOVERY PLANNING?
Customers evaluating AWS as part of their disaster recovery planning should first identify their
resiliency goals and consider any applicable regulatory requirements for resiliency and disaster
recovery. Customers can then architect their AWS environment to meet their resiliency goals and
regulatory requirements. For example, to mitigate environmental risks, customers can architect their
AWS workloads to take advantage of physically separated Availability Zones and Regions to reach
their objectives. Customers with high availability requirements often use multiple Regions for critical
applications. Learn more on the AWS Disaster Recovery web page, the AWS Data Center Controls
web page, and within the AWS SOC 2 report available in AWS Artifact.

Compliance Reports
1. WHERE CAN I DOWNLOAD AWS COMPLIANCE REPORTS, SUCH AS A SOC OR PCI
REPORT?
AWS Artifact provides several compliance reports issued by third-party auditors who have tested
and verified our compliance with a variety of global, regional, and industry-specific security
standards and regulations. When new reports are released, they are made available for customers
to download in AWS Artifact. For more information, go to the Compliance Reports FAQ. You can
access AWS Artifact directly from the AWS Management Console.
2. WHERE CAN I FIND A BRIDGE LETTER FOR THE AWS SOC 1 AND SOC 2 REPORTS?
Based on AWS's full-year of coverage within our SOC 1 and SOC 2 report cycles, we publish a SOC
Continued Operations Letter instead of a bridge letter or gap letter. This document can be
downloaded using AWS Artifact from the AWS Management Console.
3. DO THE AWS SOC REPORTS EXPIRE AT THE END OF THE REPORTING PERIOD?
No. SOC audits are performed over a period of time. Once the audit period is over, the report is
prepared and made available to customers within 6-8 weeks. AWS issues two SOC 1 and two SOC
2 reports covering 6-month periods each year (the first report covers October 1 through March 31,
and the second covers April 1 through September 30). There are many factors that play into the
release date of the report, but we target early May and early November each year to release new
reports. When new SOC reports are released, they are made available for customers to download
in AWS Artifact.
 4. HOW DO MY END CUSTOMERS OBTAIN A COPY OF THE AWS SOC 1 AND SOC 2
REPORTS?
AWS is happy to provide your customer with a copy of our SOC 1 or SOC 2 report; however, we
require that the intended user of the report have a Nondisclosure Agreement (NDA) in place with
AWS directly. To best support your customers, we recommend they utilize the Getting Started with
AWS Artifact guide to download the requested compliance report(s).

If your customer does not want to enter into an NDA with AWS, we publish the AWS SOC 3
report on our SOC Compliance web page. The SOC 3 report is a summary of the AWS SOC 2
report; it provides assurance, including the external auditor’s opinion, that AWS maintains effective
operation of controls based on the criteria set forth in the AICPA’s Trust Services Principles.

Compliance Programs
1. IS AWS HIPAA CERTIFIED?
There is no HIPAA certification for a cloud service provider (CSP) such as AWS. In order to meet the
HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management
program with FedRAMP and NIST 800-53, which are higher security standards that map to the
HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory
Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53
aligns to the HIPAA Security Rule. Refer to the AWS HIPAA web page for more information about
HIPAA compliance on AWS.
2. WILL AWS SIGN A BUSINESS ASSOCIATE ADDENDUM (BAA) AS DESCRIBED IN THE
HIPAA RULES AND REGULATIONS?
Yes. AWS has a standard BAA we enter into with customers. It takes into account the unique
services AWS provides and accommodates the AWS Shared Responsibility Model.

To review, accept, and manage the status of the BAA for your account, or for all accounts that are
part of your organization in AWS Organizations, sign in to AWS Artifact from the AWS Management
Console.
3. WHAT DOES IT MEAN FOR AN AWS SERVICE TO BE HIPAA ELIGIBLE?
AWS follows a standards-based risk management program to ensure that the HIPAA-eligible
services specifically support the security, control, and administrative processes required under
HIPAA. Customers may use any AWS service in an account designated as a HIPAA account, but
should only process, store, and transmit protected health information (PHI) using HIPAA-eligible
services. Refer to the following AWS resources for more information about HIPAA compliance on
AWS:

 Common architecting strategies for HIPAA

 HIPAA FAQs
 HIPAA-related blog posts
4. HOW DO I BECOME HITRUST COMPLIANT ON AWS?
AWS offers a wide range of certifications and attestations, covering compliance programs from
around the globe. You can leverage these certifications and attestations to meet your additional
compliance programs, such as the HITRUST Common Security Framework or programs offered by
the Electronic Healthcare Network Accreditation Commission (EHNAC). You can also work with one
of our partners that specializes in healthcare compliance.
5. HOW DO I ENTER INTO A GDPR-COMPLIANT DATA PROCESSING ADDENDUM (DPA)
WITH AWS?
You do not need to take any action to get the benefit of the GDPR DPA. The terms of the GDPR
DPA are incorporated into the AWS Service Terms and, since May 25, 2018, the GDPR DPA
automatically applies to customers whose activities come within the scope of the GDPR. Refer to
this AWS Security blog post to learn more about AWS's DPA.

6. IS AWS CERTIFIED UNDER THE EU-US PRIVACY SHIELD?

Yes, AWS is certified under the EU-US Privacy Shield. View the certification here. You can find more
information by visiting the AWS EU-Privacy Shield web page.