Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Compliance
Quick
Reference
Guide
2018
table of
Notices CONTENTS
This document is provided for informational purposes only. Overview 3
It represents AWS’ current product offerings and practices as
of the date of issue of this document, which are subject to How We Share Responsibility 7
change without notice. Customers are responsible for making AWS - Security of the Cloud
their own independent assessment of the information in this Customer - Security in the Cloud
document and any use of AWS’ products or services, each
Assurance Programs 12
of which is provided “as is” without warranty of any kind,
whether express or implied. This document does not create Securing Your Content 17
any warranties, representations, contractual commitments, Where Your Content is Stored
conditions or assurances from AWS, its affiliates, suppliers
or licensors. The responsibilities and liabilities of AWS to Business Continuity 22
its customers are controlled by AWS agreements, and this
document is not part of, nor does it modify, any agreement Automation 24
between AWS and its customers.
Resources 26
Partners and Marketplace
© 2018, Amazon Web Services, Inc. or its affiliates. Training
All rights reserved. Quick Starts
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 2
Overview
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 3
OV E R V I E W
differently
and compliance program is primarily measured by one thing:
our customers’ success. Our customers’ requirements drive
our portfolio of compliance reports, attestations, and
certifications that enable our customers to run a secure and
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 4
OV E R V I E W
can deploy some of our most We innovate rapidly at scale, continually incorporating your
feedback into AWS services. This benefits you because our
critical production workloads solutions improve over time, and we are constantly evolving our
core security services such as identity and access management,
on the AWS platform. This is logging and monitoring, encryption and key management,
network segmentation, and standard DDoS protection.
a game changer.” You also get advanced security services designed by engineers
with deep insight into global security trends, which allows your
team to proactively address emerging risks in real time. This
Rob Alexander means you can choose the security that meets your needs
CIO, Capital One
as you grow, without upfront expenses and with much lower
operational costs than if you manage your own infrastructure.
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 5
OV E R V I E W
Mark Field
CTO, Thermo Fisher Scientific
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 6
How We
Share
Responsibility
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 7
H OW W E S H A R E R E S P O N S I B I L I T Y
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 8
H OW W E S H A R E R E S P O N S I B I L I T Y
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 9
H OW W E S H A R E R E S P O N S I B I L I T Y
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 10
H OW W E S H A R E R E S P O N S I B I L I T Y
CUSTOMER—SECURITY IN THE CLOUD You can use AWS Service Catalog to create and manage
Much like a traditional data center, you are responsible for catalogs of IT services that you have approved for use on
managing the guest operating system, including installing AWS, including virtual machine images, servers, software, and
updates and security patches. You are also responsible for databases to complete multi-tier application architectures. AWS
managing associated application software, as well as the Service Catalog allows you to centrally manage commonly-
configuration of the AWS-provided security group firewall. Your deployed IT services, and helps you achieve consistent
responsibilities vary depending on the AWS services you choose, governance to meet your compliance requirements, while
how you integrate those services into your IT environment, and enabling users to quickly deploy the approved IT services they
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 11
Assurance
Programs
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 12
A S S U R A N C E P RO G R A M S
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 13
A S S U R A N C E P RO G R A M S
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 14
A S S U R A N C E P RO G R A M S
ISO 27017
ISO 27017 provides guidance about the information security
aspects of cloud computing, and recommends implementing
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 15
A S S U R A N C E P RO G R A M S
SOC FedRAMP
AWS System and Organization Controls (SOC) Reports are A U.S. government program for ensuring standards in security
independent third-party examination reports that demonstrate assessment, authorization, and continuous monitoring.
how AWS achieves key compliance controls and objectives. FedRAMP follows NIST and FISMA defined control standards.
The purpose of these reports is to help you and your auditors AWS offers FedRAMP-compliant systems that have been
understand the AWS controls established to support operations
AWS Artifact granted authorizations, address the FedRAMP security controls,
and compliance. There are three types of AWS SOC Reports: use required FedRAMP templates for the security packages
Certifications/Attestations are performed by a third-party posted in the secure FedRAMP Repository, have been assessed
• SOC 1: Provides information about AWS’ control
independent auditor. by an accredited independent Third Party Assessment
environment that Our
maycertifications,
be relevant toaudit
yourreports,
internal or
controls
attestations of compliance are based on the results of
over financial reporting (ICFR), as well as informationthefor Organization (3PAO), and maintain continuous monitoring
assessment
auditor’s work. of the effectiveness of your ICFR. requirements of FedRAMP.
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 16
Securing
your
content
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 17
S E C U R I N G YO U R CO N T E N T
it, move it, and manage retention. We provide The AWS CloudHSM service allows you to protect your
tools that allow you to easily encrypt your data, encryption keys within hardware security modules (HSMs)
in transit and at rest, to help ensure that only designed and validated to government standards for secure
key management. You can securely generate, store, and
authorized users can access it.
manage the cryptographic keys used for data encryption such
that they are accessible only by you.
Server-Side Encryption
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 18
S E C U R I N G YO U R CO N T E N T
Amazon Macie
With AWS, you know who is accessing your
Amazon Macie uses machine learning to automatically
content, and what resources your organization discover, classify, and protect sensitive data. Macie recognizes
is consuming at any given moment. Fine-grain sensitive data such as personally identifiable information (PII)
identity and access controls, combined with or intellectual property, and continuously monitors data access
activity for anomalies that might single unauthorized access or
continuous monitoring for near real-time security
inadvertent data leaks.
information, ensure that the right resources have
the right access at all times, regardless of where
in the world your information is stored.
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 19
S E C U R I N G YO U R CO N T E N T
configuration changes and security events across AWS Microsoft AD makes it easy to setup and run
your system, even integrating our services with Microsoft Active Directory in the AWS Cloud, or connect
your existing solutions to simplify your operations your AWS resources with an existing on-premises Microsoft
Active Directory.
and compliance reporting.
Important: If we are prohibited from notifying you, or there is clear indication AWS CloudTrail
of illegal conduct in connection with the use of Amazon products or services,
we will not notify you before disclosing your content.
AWS CloudTrail records AWS API calls and delivers log files
that include caller identity, time, source IP address, request
parameters, and response elements. You can use the call history
that CloudTrail provides to enable security analysis, resource
change tracking, and compliance auditing.
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 20
S E C U R I N G YO U R CO N T E N T
2
You retain complete control over which AWS Region(s) your data
is physically stored in, making it easy to meet your compliance
3 and data residency requirements. For example, if you are
3
a European customer, you can choose to deploy your AWS
AWS REG IO NS services exclusively in the EU (Frankfurt) Region. If you make this
choice, your content will be exclusively stored in Germany unless
you select a different AWS Region.
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 21
BUSINESS
CONTINUITY
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 22
B U S I N E S S CO N T I N U I T Y
and we provide you with the features you need to • By distributing applications across multiple AWS Availability
deploy a resilient IT architecture. Our systems are Zones, you can remain resilient in the face of most failure
designed to tolerate system or hardware failures modes, including natural disasters or system failures.
with minimal customer impact. • You can build highly resilient systems in the cloud by
employing multiple instances in multiple AWS Availability
The AWS Cloud supports many popular disaster Zones and using data replication to achieve extremely high
recovery architectures, ranging from “pilot light” recovery time and recovery point objectives.
environments that are ready to scale up at a • You are responsible for managing and testing the backup
moment’s notice to “hot standby” environments and recovery of your information system that is built on the
that enable rapid failover. AWS infrastructure. You can use the AWS infrastructure to
enable faster disaster recovery of your critical IT systems
without incurring the infrastructure expense of a second
physical site.
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 23
AUTOMATION
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 24
AU TO M AT I O N
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 25
RESOURCES
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 26
R E S O U RC E S
S EC U R I T Y & CO M P L I A N C E Q U I C K R E F E R E N C E G U I D E 27