Is Your AWS Cloud Environment Remaining Compliant?

Security is a natural concern when moving to the cloud—not only during the migration itself, but also when an enterprise is up and running. A big part of overall security is regulatory compliance. There are plenty of rules and regulations that a business must follow in order to remain compliant, and it can be overwhelming trying to remember them all.

Having the backing of a good partner helps. For example, Amazon Web Services offers security at scale, and is also helpful in answering any questions that come up regarding compliance. In fact, the compliance sector of AWS receives thousands of questions every month. AWS compiled some of the most common compliance questions into an FAQ. Below is a summary of the advice AWS is giving out most often.

Enterprises operating in the cloud are responsible for remaining compliant with applicable laws and regulations, and it’s up to the business itself to determine whether its AWS services meet the requirements. Compliance certifications and attestations (which are evidence proving something is true) are assessed by an independent, third-party auditor. The result is either a certification, attestation of compliance, or audit report. There’s a long list of assurance programs that a business can receive certification for, including FedRAMP, ISO 9001, PCI DSS Level 1, and SOC 1, 2, and 3.

In addition to certifications, AWS also offers functionality (like security features), compliance enablers, and legal agreements to support customer compliance. EU Model Clauses, HIPAA, ITAR, and VPAT / Section 508 are among the included assurance programs in this category.

Finally, compliance alignments and frameworks “include published security or compliance requirements for a specific purpose,” for example, a specific industry or function. Again, AWS provides functionality and enablers for these kinds of programs, and some alignments and frameworks are actually covered by other compliance programs. Some of the assurance programs in this category are CJIS, FISC, FISMA, and NERC.

There are some compliance aspects that AWS does not cover, as it operates on the AWS Shared Responsibility Model. What does this mean? In essence, AWS manages the security of the cloud itself, while enterprises must be responsible for compliance and security within the cloud. The enterprise must do its due diligence in terms of security implemented to protect its content, infrastructure, and networks, and as a result, it must make sure it’s adhering to any relevant compliance and regulatory requirements. The below video sheds a bit more light on the idea of the Shared Responsibility Model:

Luckily, you’re not completely alone in making sure you’re compliant. AWS offers a great resource in its AWS Config Rules, which is open to all members of the AWS community. Any member can contribute and provide his or her expertise, which makes the AWS Config Rules a great educational tool—there’s a lot of great knowledge out there. It’s a streamlined way to automate assessment and compliance against best practices for security of AWS resources.

AWS’s formal security incident response plan is also a good source to draw from for any enterprise detailing up a similar plan. The important thing to remember is that a solid plan addresses purpose, scope, roles, responsibilities, and management commitment. AWS uses a simple three-phased approach for incident management: detect the incident, address the incident using a specialized team, and conduct a postmortem and deep root-cause analysis of the incident. On top of that, there are also mechanisms that will alert the customer support team of any operational issues that might limit how AWS customers can work.

In the world of compliance and security, it’s better to be safe than sorry. Educating yourself is the best first step before developing a proactive incident response plan. Especially if you’re going after certain compliance, it’s not a bad idea to seek counsel from a partner that’s already compliant in that assurance program. For example, we were granted a FedRAMP ATO several months ago for private cloud managed services, which only strengthens the services we offer to government agencies like the U.S. Departments of Veterans Affairs, Homeland Security, Health and Human Services, and Energy. Additionally, our PCI compliant hosting solution assures an enterprise’s customers can be trusting with their financial data.

To learn more about compliance in the cloud, feel free to check out AWS’ Compliance page.

David Lucky is a Product Marketing leader at Rackspace for the Managed Public Cloud services group, a global business unit focused on delivering end-to-end digital transformation services on AWS, Azure, GCP and Alibaba. David came to Rackspace from Datapipe where as Director of Product Management for six years he led product development in building services to help enterprise clients leverage managed IT services to solve complex business challenges. David has unique insight into the latest product developments for private, public and hybrid cloud platforms and a keen understanding of industry trends and their impact on business development. He holds an engineering degree from Lehigh University and is based out of Jersey City, NJ. You can follow David on LinkedIn at and Twitter @Luckys_Blog.