Check Check For Mtcs Compliance

Ensure that all AWS services and resources utilized within your AWS account are MTCS Tier 3 compliant in order to meet cloud industry best practices when it comes to protecting sensitive data while maintaining essential business functions. The Multi-Tier Cloud Security (MTCS) standard was developed by Information Technology Standards Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore and represents the worlds first security standard that covers multiple tiers of cloud security. Cloud Service Providers (CSPs) can apply MTCS to meet a variety of cloud user requirements, ensuring the security of sensitive data and continuity of critical business functions. MTCS has 3 levels of security, Level 1 being the base and Level 3 being the most rigorous. MTCS Level 3 adds a new set of security controls to supplement those in Levels 1 and 2. Level 3 controls address security risks and threats in high-impact IT systems using cloud services (e.g. hosting applications that process sensitive information) and security risks in regulated systems. Amazon Web Services was the first CSP to achieve the Singapore Multi-Tier Cloud Security Standard (MTCS SS584) Level-3 certification. This certification gives users and organizations the certainty to utilize AWS cloud components to host and process their highly confidential data in Singapore. To reach MTCS Level-3 certification, Amazon Web Services (AWS) must design and implement a comprehensive suite of information security controls and other forms of risk management to address architecture security risks, embrace a complete management process to ensure that the developed security controls meet their information security needs on an ongoing basis and systematically evaluate AWS cloud information security risks, taking into account the impact of various threats and vulnerabilities. As a customer who uses AWS components (i.e. services and resources) to store, process or transmit sensitive data in Singapore, you can rely on AWS cloud infrastructure as this is MTCS-compliant. However, since security and compliance is a shared responsibility between AWS and its customers, you should carefully consider the AWS services you choose to work with, as your responsibilities vary depending on the services used, the integration of those services into your application environment, and local laws and regulations. Therefore, you can get MTCS Level 3 compliance for your cloud applications only using MTCS-eligible AWS services and resources. To achieve and maintain MTCS Tier 3 compliance, use only the AWS services listed below:

AWS customers can get C5 attestation for their cloud applications without being required to audit the physical security of data centers or the infrastructure of the AWS cloud. Using the AWS infrastructure, you are effectively implementing the BSI standard level of IT security at all layers. However, to become C5-compliant, you have to use AWS services and resources that are already in scope for Cloud Computing Compliance Controls Catalog (C5). To achieve and maintain C5 compliance, ensure that only the following AWS services (and their resources) are used within your AWS account:

AWS Services

• Amazon API Gateway

• Amazon Cloud Directory

• Amazon CloudFront

• Amazon CloudWatch Logs

• Amazon Cognito

• Amazon DynamoDB

• Amazon ElastiCache

• Amazon Elastic Block Store (EBS)

• Amazon Elastic Compute Cloud (EC2)

• Amazon Elastic Container Registry (ECR)

• Amazon Elastic Container Service (ECS)

• Amazon Elastic MapReduce

• Amazon Glacier

• Amazon Kinesis Data Streams

• Amazon QuickSight

• Amazon Redshift

• Amazon RDS (MariaDB)

• Amazon RDS (MySQL, Oracle)

• Amazon RDS (Postgres)

• Amazon RDS (SQL Server)

• Amazon Route 53

• Amazon SimpleDB

• Amazon Simple Notification Service (SNS)

• Amazon Simple Storage Service (S3)

• Amazon Simple Queue Service (SQS)

• Amazon Simple Workflow Service (SWF)

• Amazon Virtual Private Cloud (VPC)

• Amazon WorkDocs

• Amazon WorkSpaces

• Amazon Auto Scaling

• Amazon Batch

• Amazon CloudFormation

• Amazon CloudHSM

• Amazon CloudTrail

• Amazon CodeBuild

• Amazon CodeCommit

• Amazon CodeDeploy

• Amazon CodePipeline

• Amazon Config

• Amazon Database Migration Service

• Amazon Direct Connect

• Amazon Directory Service

• Amazon Elastic Beanstalk

• Amazon Identity & Access Management (IAM)

• Amazon IoT Core

• Amazon Key Management Service (KMS)

• Amazon Lambda

• Amazon Lambda@Edge

• Amazon OpsWorks Stacks

• Amazon Shield

• Amazon Snowball

• Amazon Snowball Edge

• Amazon Snowmobile

• Amazon Step Functions

• Amazon Storage Gateway

• Amazon Systems Manager

• Amazon WAF

• Amazon X-Ray

• Amazon Elastic Load Balancing

• Amazon VM Import/Export

Review the up-to-date list of AWS services that support MTCS Tier 3 standard before you design, create, modify or upgrade your MTCS-compliant environment within your AWS account. An example of non-compliant MTCS Tier 3 service is Amazon DocumentDB (with MongoDB compatibility), a fast, scalable, highly available and fully managed document database service that supports MongoDB workloads, as AWS DocumentDB resources are not yet MTCS-compliant. Because this AWS service is not yet eligible, your cloud application will fail to achieve MTCS compliance as long as is storing, processing or transmitting confidential data using Amazon DocumentDB resources such as DocumentDB database clusters. Therefore, Cloud Conformity strongly recommends to terminate any non-compliant MTCS Level 3 AWS resources in order to meet MTCS compliance requirements in your AWS account. To help you and your organization maintain MTCS compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the MTCS Tier 3 security standard.

Rationale

The objective of MTCS standard is to encourage adoption of sound risk management and security practices for cloud computing by providing relevant cloud security practices and controls for Cloud Service Providers (CSPs), so that they can strengthen and demonstrate the cloud security controls in their cloud environments. Amazon Web Services is certified MTCS SS584 (Level 3), providing the necessary protections to satisfy the MTCS Tier 3 security requirements, so that you can use MTCS-compliant AWS services to build cloud applications that store, process or transmit sensitive or confidential data in Singapore. You also need to know that not all AWS components are MTCS Tier 3-eligible, therefore using cloud services that fail to comply with the Multi-Tier Cloud Security (MTCS) standard regulations can raise concerns about the security and confidentiality of data processed in the cloud.

References

• AWS Documentation
• AWS Compliance Programs
• AWS Services in Scope by Compliance Program
• MTCS
• Using AWS in the Context of Singapore Privacy Considerations
• Shared Responsibility Model
• Amazon DocumentDB (with MongoDB compatibility)