Table of contents
Topics on this page
Compliant in Dublin (eu-west-1) region

Check For C5 Compliance

Ensure that all AWS services and resources used for your SaaS and PaaS applications are C5-compliant in order to meet C5 requirements by effectively implementing the Federal Office for Information Security (BSI) standard level of IT security at all layers.Cloud Computing Compliance Controls Catalog (C5) is an audited standard introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber attacks within the context of the German Governments program "Security Recommendations for Cloud Providers". The purpose of the Cloud Computing Compliance Controls Catalog is to provide a consistent security framework for professional cloud service providers and to give their customers assurance that their data will be managed securely. C5 certification can be used by AWS customers and their compliance advisors to understand the range of IT-security assurance services that Amazon Web Services offers as they move their workloads to the cloud. C5 adds the regulatory defined IT-security level equivalent to the IT-Grundschutz (a methodology to identify and implement IT security measures in an organization, introduced by BSI) with the addition of cloud specific controls. C5 adds additional security controls that provide information related to data location, service provisioning, place of jurisdiction, existing certification, information disclosure constraints and a full-service description. Using this information, AWS customers can evaluate how legal regulations, data privacy, internal policies or the threat environment relate to their use of cloud computing products.

AWS customers can get C5 attestation for their cloud applications without being required to audit the physical security of data centers or the infrastructure of the AWS cloud. Using the AWS infrastructure, you are effectively implementing the BSI standard level of IT security at all layers. However, to become C5-compliant, you have to use AWS services and resources that are already in scope for Cloud Computing Compliance Controls Catalog (C5). To achieve and maintain C5 compliance, ensure that only the following AWS services (and their resources) are used within your AWS account:

Compliant in Dublin (eu-west-1) region

  • Amazon CloudFront
  • Amazon DynamoDB
  • Amazon ElastiCache
  • Amazon Elastic Block Store (EBS)
  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Elastic MapReduce
  • Amazon Glacier
  • Amazon Redshift
  • Amazon RDS
  • Amazon Route 53
  • Amazon Simple Queue Service (SQS)
  • Amazon Simple Storage Service (S3)
  • Amazon Simple Workflow Service (SWF)
  • Amazon Virtual Private Cloud (VPC)
  • AWS CloudFormation
  • AWS CloudTrail
  • AWS Config
  • AWS Database Migration Service
  • AWS Direct Connect
  • AWS Elastic Beanstalk
  • AWS Identity & Access Management (IAM)
  • AWS Key Management Service
  • AWS Lambda
  • AWS Storage Gateway
  • AWS WAF
  • AWS Elastic Load Balancing
  • AWS VM Import/Export
  • AWS Athena
  • AWS API Gateway
  • AWS CloudDirectory
  • AWS CloudFront
  • AWS CloudWatch - excludes CloudWatch Events
  • AWS Cognito
  • AWS DynamoDB
  • AWS Elastic Container Registry (ECR)
  • AWS Elastic Container Service (ECS)
  • AWS ElastiCache
  • AWS Elastic Block Store (EBS)
  • AWS Elastic Compute Cloud (EC2)
  • AWS Elastic File System (EFS)
  • AWS EMR
  • AWS Glacier
  • AWS Inspector
  • AWS Kinesis Data Streams
  • AWS Kinesis Video Streams
  • AWS MQ
  • AWS Polly
  • AWS QuickSight
  • AWS Redshift
  • AWS Rekognition
  • AWS Relational Database Service
  • AWS Route 53
  • AWS SageMaker
  • AWS Simple Email Service (SES)
  • AWS Simple Notification Service (SNS)
  • AWS Simple Queue Service (SQS)
  • AWS Simple Storage Service (S3)
  • AWS Simple Workflow Service (SWF)
  • AWS SimpleDB
  • AWS Virtual Private Cloud (VPC)
  • AWS WorkDocs
  • AWS WorkMail
  • AWS WorkSpaces
  • AWS AppSync
  • AWS Auto Scaling
  • AWS Batch
  • AWS Certificate Manager
  • AWS CloudFormation
  • AWS CloudHSM
  • AWS CloudTrail
  • AWS CodeBuild
  • AWS CodeCommit
  • AWS Config
  • AWS Database Migration Service
  • AWS Direct Connect
  • AWS Directory Service - excludes Simple Active Directory
  • AWS Elastic Beanstalk
  • AWS Firewall Manager
  • AWS Identity & Access Management (IAM)
  • AWS Import/Export
  • AWS IoT Core
  • AWS IoT Device Management
  • AWS Key Management Service
  • AWS Lambda
  • AWS Managed Services
  • AWS OpsWorks - excludes Chef Automate and Puppet Enterprise
  • AWS Service Catalog
  • AWS Shield
  • AWS Snowball
  • AWS Snowball Edge
  • AWS Snowmobile
  • AWS Step Functions
  • AWS Storage Gateway
  • AWS Systems Manager
  • AWS WAF
  • AWS X-Ray
  • AWS Elastic Load Balancing Compliant in Frankfurt (eu-central-1) region
  • AWS Athena
  • AWS API Gateway
  • AWS CloudFront
  • AWS CloudWatch - excludes CloudWatch Events
  • AWS Cognito
  • AWS Connect
  • AWS DynamoDB
  • AWS Elastic Container Registry (ECR)
  • AWS Elastic Container Service (ECS)
  • AWS ElastiCache
  • AWS Elastic Block Store (EBS)
  • AWS Elastic Compute Cloud (EC2)
  • AWS Elastic File System (EFS)
  • AWS EMR
  • AWS Glacier
  • AWS Inspector
  • AWS Kinesis Data Streams
  • AWS Kinesis Video Streams
  • AWS MQ
  • AWS Polly
  • AWS Redshift
  • AWS Relational Database Service
  • AWS Route 53
  • AWS SageMaker
  • AWS Simple Notification Service (SNS)
  • AWS Simple Queue Service (SQS)
  • AWS Simple Storage Service (S3)
  • AWS Simple Workflow Service (SWF)
  • AWS SimpleDB
  • AWS Virtual Private Cloud (VPC)
  • AWS WorkSpaces
  • AWS AppSync
  • AWS Batch
  • AWS Certificate Manager
  • AWS CloudFormation
  • AWS CloudHSM
  • AWS CloudTrail
  • AWS CodeBuild
  • AWS CodeCommit
  • AWS Config
  • AWS Database Migration Service
  • AWS Direct Connect
  • AWS Directory Service - excludes Simple Active Directory
  • AWS Elastic Beanstalk
  • AWS Firewall Manager
  • AWS Identity & Access Management (IAM)
  • AWS Import/Export
  • AWS IoT Core
  • AWS IoT Device Management
  • AWS Key Management Service
  • AWS Lambda
  • AWS Managed Services
  • AWS OpsWorks - excludes Chef Automate and Puppet Enterprise
  • AWS Service Catalog
  • AWS Shield
  • AWS Snowball
  • AWS Snowball Edge
  • AWS Snowmobile
  • AWS Step Functions
  • AWS Storage Gateway
  • AWS Systems Manager
  • AWS WAF
  • AWS X-Ray
  • AWS Elastic Load Balancing

Based on your workload and business needs, you can select only the Dublin region services, only the Frankfurt region services, or the eligible services available in both regions, in the rule settings, on the Cloud Conformity account dashboard. Verify the updated list of C5-eligible AWS services before you design, create, modify or upgrade your C5-compliant application within AWS cloud.

An example of AWS service that does not have C5 attestation is an Amazon Neptune, a fast, scalable and reliable graph database service that makes it easy to build and run applications that work with highly connected datasets, as AWS Neptune resources are not C5-compliant at this moment. Because Amazon Neptune is not yet C5-eligible, your SaaS or PaaS application will fail to achieve C5 compliance as long as is processing data using Amazon Neptune service resources and features. That being said, it is recommended to terminate any non-compliant C5 AWS resources in order to meet Cloud Computing Compliance Controls Catalog (C5) security requirements within your AWS account. To help your organization maintain C5 compliance, Cloud Conformity monitors your AWS account in real time and sends notification alerts as soon as a cloud resource is created outside the C5 standard.