NDNB is one of the world’s leading providers of fixed-fee SOC 2 Type 1 and SOC 2 Type 2 audit reports for businesses using the Amazon AWS cloud computing platform. Thousands of companies are migrating each year to the cloud, many of them to the Amazon AWS platform, which is currently the undisputed leader in terms of market share.
As a result, businesses are building and deploying a wide variety of cloud computing platforms within AWS – SaaS, PaaS, and IaaS – and are also being asked for annual SOC 2 Type 2 reporting. NDNB can assist as we have extensive experience working with Amazon AWS.
NDNB. North America’s Amazon AWS SOC 2 Compliance Experts.
Critical SOC 2 Items You Need to Know About Regarding Amazon AWS
SOC 2 auditing the Amazon AWS environment – and really, for any type of audit – brings to mind the importance of understanding the Shared Responsibility Model, something that AWS has been adamant in educating all their customers on – and auditors. Here’s the summary of “Security of the Cloud” vs. “Security in the Cloud” and it’s overall impact on your SOC 2 report.
AWS Responsibility for “Security of the Cloud”: AWS – not YOU – are essentially responsible for protecting the actual infrastructure that runs all of the services offered within Amazon AWS. Specifically, the infrastructure consists of hardware, software, networking, the facilities, and other related “infrastructure” components. Specifically, AWS is responsible for “compute”, “storage”, “database”, and “networking” software – from a security perspective, along with all the hardware that supports the essential software and infrastructure components.
Customer/Service Provider Responsibility for “Security in the Cloud”: As to “security in the cloud”, if customers are running on Amazon’s AWS Infrastructure as a Service (IaaS) – such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 – then specific security/compliance requirements come into play.
Specifically, customers would be responsible for the guest operating system (such as updates and security patches), application or utilities installed by customers on the instances, configuration of the AWS provided firewall on each instance, and other essential security updates. Many of these responsibilities will therefore be tested for SOC 2 compliance, making it all the more important to ensure you have policies, procedures, and processes for these respective requirements.
So, with that said, here’s what YOU, a customer of Amazon’s AWS would be responsible for in their traditional IaaS environment, and what you would be assessed for as part of the scope of SOC 2 report:
- Security and patch updates to guest operating systems and applications
- Provisioning, hardening and overall configuration management for guest operating systems and applications (yes, including databases)
- Security and awareness training
- Access rights & access control within the AWS console
Amazon does have a number of requirements directly related to the above measure, thus a “shared” responsibility model can be looked at, also. Bottom line. AWS has responsibilities, YOU as a customer of AWS have responsibilities, and then some of these responsibilities are shared.
5 Essential Next Steps for SOC 2 Success in Amazon AWS
Assess Scope and Ownership of Controls: Businesses using Amazon’s AWS services – particularly their IaaS platforms (Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC) – will need to assess, determine, and CONFIRM who has ownership of various controls that will be assessed during a SOC 2. The earlier this is known, the greater the chances for auditing success, efficiency, and removal of scope creep issues. In all reality, this is a relatively straightforward process, something NDNB performs with clients every day.
Amazon AWS does provide documentation within their compliance portal as to the various controls they have responsibilities for. Auditors, such as NDNB, can access this material in helping provide much-needed guidance. Visit https://aws.amazon.com/compliance to learn more.
Determine the Applicable Trust Services Criteria (TSC): Which of the TSP are going to be included in scope and why? Do you have client commitments for certain TSC’s? What is the basis for choosing the relevant TSC’s? Important questions you need to get answers to, and NDNB can assist.
Identify Amazon AWS Tools and Solutions to be Used: Amazon has numerous security, identity, compliance, and management tools and solution that greatly assist in the SOC 2 auditing process. Get to know them, and they’ll help ensure compliance with numerous SOC 2 testing criteria. Some of the more notable solutions to be using for helping with SOC 2 audits – and other compliance mandates – consist of the following:
- Amazon CloudWatch
- AWS CloudTrail
- Amazon GuardDuty
- Amzon Inspector
- AWS Shield
- AWS Single Sign-on
- AWS WAF
NDNB has extensive expertise with the above listed tools – and many others offered by Amazon AWS – all the more reason for considering us as your SOC 2 auditor.
Engage in Continuous Monitoring: Long after the initial audit is completed, you’ll need to begin the process of continuous monitoring; assessing and enhancing your controls as necessary. This can often be more challenging and time-consuming than the initial audit, all the more reason to speak with NDNB and how we can put in place an efficient and cost-effective regulatory compliance monitoring program for Amazon AWS customers. Time is money, and we can save you both.
Amazon AWS SOC 2 Compliance Experts – Fixed-Fee Pricing