Free AWS service tackles the tedium of compliance reporting

Compiling a compliance report for auditors might not be the most thrilling task in security, but it’s still necessary to show that security controls meet key standards, such as ISO 27001, payment card industry (PCI) requirements, and Service Organization Control (SOC).

To make the job a little easier, Amazon Web Services (AWS) has launched a free service called AWS Artifact to give customers immediate access to automatically generated AWS compliance reports.

“The release of AWS Artifact sets the stage for AWS to transform the auditing industry, moving auditing from being time-intensive and manual to highly automated and continuous in the cloud,” said AWS director of risk and compliance, Chad Woolf.

AWS customers can generate the reports once signed the AWS Management Console. These reports can be shared with auditors, regulators or customers, or customers can give each individual third-party direct access to reports relevant to the standard under assessment. This can be done via settings in Amazon’s identity management permissions.

Another way AWS thinks Artifacts can take the cost and hassle out of compliance reporting is by ensuring the integrity of documents used in the reports.

Customers that use Artifact documents may need to agree to Amazon’s confidentiality terms in a legally binding non-disclosure agreement. After this, they will be given access to review the documents, each of which is given a unique and traceable watermark.

One advantage of giving third-party direct access to the reports is AWS’s so-called shared responsibility model. AWS is responsible for the security of documents stored on its servers, but once downloaded, the customer is responsible. AWS encourages customers to use its own document sharing service WorkDocs or other secure document sharing services, but not email.

Customers are also still responsible for having their own systems audited, as the Artifact service can only be used to demonstrate the security and compliance of AWS infrastructure and services used. However, as AWS notes, customers also use the documents as a guideline when assessing their own internal controls. The documents contain, for example, information on additional security controls to support how customers use their systems.

As per AWS’ shared responsibility model, it is responsible for infrastructure such as compute instances, storage, databases and networking, as well as its regions, availability zones and edge locations. Customers are responsible for everything “in” AWS’ cloud, ranging from the platform to firewall and OS configuration, and encryption.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags CloudAWSPayment Card Industry (PCI)Service Organization Control (SOC)WorkDocs

More about Amazon Web ServicesAWSCustomersISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts