Overview of AWS Shared Responsibility for SOC 2 Reporting for Users of AWS’ Cloud Services
Businesses operating in the Amazon AWS cloud infrastructure often have to undergo their own annual SOC 2 Type 2 audit assessment. Fortunately, Amazon undergoes an annual SOC 2 audit report for their “Amazon Web Services System”, which, from a scope perspective, includes almost every imaginable cloud service offering. This ultimately brings us to the much-talked about topic of Amazon AWS’ “Shared Responsibility Model”, which is the following, per AWS:
Moving IT infrastructure to AWS builds a shared responsibility model between customers and AWS. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, customers assume responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS-provided security group firewall.
AWS Shared Responsibility Matrix – Who is Responsible for What and Why
In its most-simplest terms, you, as a customer using AWS’ services, have certain responsibilities for ensuring the security of your environment in the cloud. Yet AWS also has certain responsibilities for ensuring security measures are in place. Therefore, the phrases you’ll often hear for AWS compliance are the following:
AWS responsibility for “Security of the Cloud”: AWS is essentially responsible for protecting the infrastructure that runs all of the services offered within the actual AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
Customer responsibility “Security in the Cloud”: The customer responsibility will ultimately be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. As such, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS), ultimately requiring that the customer perform all of the necessary security configuration and management tasks.
Here's an Example of a Typical Customer Deployment: More specifically, let’s say a customer deploys an Amazon EC2 instance, they are then effectively responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.
Additionally, it’s important to note that the actual customer/AWS shared responsibility model also extends to various information technology controls. More specifically, just as the responsibility to operate the information technology environment is shared between AWS and its customers, so is the management, operation and verification of various information technology controls that are being shared.
Inherited, Shared, and Customer Controls
AWS can help relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the AWS environment that may previously have been managed by the customer. Remember that every customer is deployed differently within AWS, thus the overall responsibility of controls will shift, but they will always fall under one of the following three (3) categories:
- Inherited Controls: These are controls which the customer inherits from AWS – thus, they are AWS’ responsibility.
- Shared Controls: These are controls which apply to both the infrastructure layer and the customer layer, hence, they are shared controls.
- Customer Controls: These are controls which are solely the responsibility of the customer within AWS.
3 Helpful Recommendations for your SOC 2 Amazon AWS Audit
1. Perform AWS SOC 2 Scoping & Readiness Assessment. New to the SOC 2 auditing process? If so, then understanding issues critical to your audit’s overall success are a must, no question about it. Here’s the benefits of NDNB’s AWS SOC 2 Scoping & Readiness Assessment:
- Identify scope in terms of business processes, people, third-parties – and more – that are involved in the audit.
- Identify critical gaps and control deficiencies and what remediation activities need to be undertaken. Remediation often takes the form of policy writing, along with implementing various technical/security controls.
- Identify and put in place all necessary AWS tools for security, governance, and compliance as it relates to annual SOC 2 reporting.
- Putting in place a roadmap for compliance, complete with milestones and associated deliverables.
2. Understand the Importance of Information Security Policies and Procedures. One of the more challenging and time-consuming aspects of regulatory compliance – and especially for SOC 2 audits – is documentation. Specifically, your organization will need to develop and have in place a laundry list of information security policies and procedures for SOC 2 compliance. Authoring InfoSec documentation can take time – quite a bit of time – and it’s why many of our AWS SOC 2 clients turn to us for helping author their information security policies and procedures. We can author them for you, or we can provide you with a complete set of information security policy templates.
3. Identify and Implement Helpful AWS Security Tools for Compliance. Are you familiar with the almost laundry list of security tools and solutions that Amazon AWS offers to customers? If not, then you need to be, as a number of them are critical for helping build a security, governance, and compliance framework essential for SOC 2 reporting. The AWS marketplace at https://aws.amazon.com/marketplace is just the beginning in terms of security tools and solutions offered by vendors for assisting with security and compliance. Amazon AWS – as stated earlier – has their own list of security tools, and NDNB can help in choosing which tools you need, why, how to configure/implement them, and more.
5 Reasons to Use NDNB for SOC 2 Reporting for AWS Cloud Users
More and more businesses are migrating to the cloud, and especially to the Amazon AWS cloud platform. And more and more of these very businesses are being asked to perform annual SOC 2 audits. NDNB can assist, as we have years of experience working with Amazon AWS. Specifically, here’s five reasons why you should consider NDNB as your SOC 2 audit providers for any business operating in Amazon AWS.
1. Expertise and Certification. Not every CPA is an expert when it comes to understanding the complexities and overall architecture of Amazon’s AWS environment, but we are! Our highly trained auditors, engineers, and other capable staff have spent years working with the AWS infrastructure. As a result, we know it, inside and out, which ultimately means auditing expertise that’s second to none. Before you consider using another CPA and advisory firm for your SOC 2 audit, check to see if any of their auditors actually carry any Amazon AWS certifications – this is important, in our opinion.
2. Online Audit Tools & Portal. We use a variety of online tools and portals that we’ve built for helping establish and maintain a high degree of transparency throughout the entire audit process, from beginning to end. You want to be able to effectively communicate with your auditors, co-workers – anybody involved with the audit – and that’s the very reason we built our extensive list of auditing tools.
4. Helpful Documentation. One of the more time-consuming measures of becoming SOC 2 compliant is developing all the necessary documentation needed for SOC 2 compliance. Regardless of where you house your production environment – in Amazon AWS or somewhere else – you need documentation for showing the auditors your policies, procedures, and processes are in order. We can help. How? Because we offer comprehensive policy writing services, along with providing our clients high-quality, easy-to-use and implement information security policies and procedures templates.
With NDNB, you get it all. Want to save thousands of dollars on authoring security documents – sure you do, every business does, then talk to NDNB today about our documentation services.
5. Our Name and History. Since 2006, NDNB has issued hundreds of SAS 70, SOC 1 SSAE 16, SOC 1 SSAE 18, SOC 2, and SOC 3 reports for service organizations all throughout North America, and the world. We also became heavily involved in compliance reporting for AWS years before many other firms did, giving us the expertise necessary in issuing SOC reports for users of AWS’s platform. We know AWS inside and out, which means we’ll be saving you both time and money on your SOC 2 report.
NDBN. North America’s AWS Compliance Experts