Check For C5 Compliance Copy

Ensure that all services and resources utilized in your AWS account are IRAP compliant in order to meet IRAP standard requirements and protect Australian government data from access, abuse and disclosure when processed by the AWS cloud services.Information Security Registered Assessors Program (IRAP) provides a framework for evaluating the implementation, appropriateness and effectiveness of an IT organization's data security controls against Australian government security requirements. IRAP enables Australian government customers to validate that relevant security controls are in place, and to determine the appropriate responsibility model for addressing the security requirements of the Australian government Information Security Manual (ISM) produced by the Australian Signals Directorate (ASD). Protecting Australian government data from access, exploitation and public exposure is crucial when leveraging cloud services such as AWS. Amazon Web Services recognizes that their customers rely upon the secure delivery of the AWS infrastructure and the importance of having components that enable the customer to create secure environments. AWS empowers their customers to meet these objectives by prioritizing security through a wide range of security services and features. These security services made available by Amazon Web Services provide comprehensive controls over the customer IT control environment and offer improved security outcomes for the Australian government. Amazon Web Services is IRAP compliant, as an independent IRAP auditor examined the AWS security controls, including the process and the implemented technology, to ensure they address the needs of the Information Security Manual (ISM). The IRAP certification provides assurance that AWS cloud presents the applicable controls required by the ISM in accrediting Amazon Web Services for Australian government-based workloads. The IRAP assessment and ASD Certification covers the Amazon Sydney region, however, AWS treats all regions equally in terms of security controls, policies and processes that are used to operate them.

As an Australian government agency and an AWS customer who makes use of cloud services and resources to store, process or transmit government data, you can trust Amazon Web Services infrastructure, as this is IRAP-compliant. However, since security and compliance is a shared responsibility between the AWS cloud and its customers, you should carefully consider the AWS services that you choose to work with, as your responsibilities vary depending on the AWS services used, the integration of those services into your application environment, and Australian laws and regulations. For that reason, your organization can become IRAP-compliant using only IRAP-eligible AWS services and resources. To achieve and maintain Information Security Registered Assessors Program (IRAP) compliance, ensure that only the following AWS services are used in your account:

IRAP UNCLASSIFIED

• Amazon API Gateway
• Amazon CloudFront
• Amazon CloudWatch
• Amazon CloudWatch Logs
• Amazon Cognito
• Amazon DynamoDB
• Amazon EC2 Container Service (ECS)
• Amazon Elastic Block Store (EBS)
• Amazon Elastic Compute Cloud (EC2)
• Amazon Elastic MapReduce (EMR)
• Amazon Elasticache
• Amazon Glacier
• Amazon GuardDuty
• Amazon Inspector
• Amazon Kinesis Data Firehose
• Amazon Kinesis Data Streams
• Amazon Redshift
• Amazon Relational Database Service (RDS)
• Amazon Route 53
• Amazon S3 Transfer Acceleration
• Amazon Simple Notification Service (SNS)
• Amazon Simple Queue Service (SQS)
• Amazon Simple Storage Service (S3)
• Amazon Simple Workflow Service
• Amazon Virtual Private Cloud (VPC)
• Amazon WorkDocs
• Amazon WorkSpaces
• AWS Auto Scaling
• AWS CloudFormation
• AWS CloudHSM
• AWS CloudTrail
• AWS Config
• AWS Direct Connect
• AWS Directory Service
• AWS Elastic Load Balancing (ELB)
• AWS Identity and Access Management (IAM)
• AWS Key Management Service (KMS)
• AWS Lambda
• AWS Lambda@Edge
• AWS Organizations
• AWS Shield
• AWS Step Functions
• AWS Systems Manager (SSM)
• AWS Trusted Advisor
• AWS Web Application Firewall (WAF)
• AWS Web Application Firewall (WAF) Regional

IRAP PROTECTED

• Amazon API Gateway
• Amazon CloudFront
• Amazon CloudWatch
• Amazon CloudWatch Logs
• Amazon Cognito
• Amazon DynamoDB
• Amazon EC2 Container Service (ECS)
• Amazon Elastic Block Store (EBS)
• Amazon Elastic Compute Cloud (EC2)
• Amazon Elastic MapReduce (EMR)
• Amazon Elasticache
• Amazon Glacier
• Amazon GuardDuty
• Amazon Inspector
• Amazon Kinesis Data Firehose
• Amazon Kinesis Data Streams
• Amazon Redshift
• Amazon Relational Database Service (RDS)
• Amazon S3 Transfer Acceleration
• Amazon Simple Notification Service (SNS)
• Amazon Simple Queue Service (SQS)
• Amazon Simple Storage Service (S3)
• Amazon Simple Workflow Service
• Amazon Virtual Private Cloud (VPC)
• Amazon WorkDocs
• Amazon WorkSpaces
• AWS Auto Scaling
• AWS CloudFormation
• AWS CloudHSM
• AWS CloudTrail
• AWS Config
• AWS Direct Connect
• AWS Directory Service
• AWS Elastic Load Balancing (ELB)
• AWS Identity and Access Management (IAM)
• AWS Key Management Service (KMS)
• AWS Lambda
• AWS Lambda@Edge
• AWS Step Functions
• AWS Systems Manager (SSM)
• AWS Web Application Firewall (WAF)
• AWS Web Application Firewall (WAF) Regional

Based on your organization's regulatory compliance needs, you have the option to select only UNCLASSIFIED, only PROTECTED, or both types of services within the rule settings, on the Cloud Conformity account dashboard. Review the updated list of IRAP-eligible AWS services before you design, create, modify or upgrade your IRAP-compliant application in AWS cloud. An example of non-compliant IRAP AWS service is Amazon Elastic File System (EFS), a simple, scalable, elastic file system service for Linux-based workloads for use with AWS cloud resources such as EC2 instances and with on-premises resources. And because Amazon EFS is not yet IRAP-compliant, your cloud application will fail to achieve IRAP compliance as long as is storing, processing or transmitting Australian government data using AWS EFS resources and features. Therefore, it is strongly recommended to terminate any non-compliant IRAP AWS resources in order to meet IRAP compliance requirements within your AWS account. To help you and your organization maintain IRAP compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the IRAP standard.

Rationale

Information Security Registered Assessors Program (IRAP) represents a defensive step towards maximizing the security of Australian Government data in the cloud, including the infrastructure used for storing, processing and transmitting this data. IRAP has a multi-stage certification process that starts with a security assessment, in which the IRAP auditor gets a detailed understanding of the applying provider's system (in this case AWS cloud). The auditor reviews the system architecture, the operating procedures and the documentation (including the information security policy and threat risk assessment, system security plans, security risk management plans and incident response plans available). Since Amazon Web Services is IRAP-certified, it provides the necessary security controls to satisfy the IRAP security requirements, so that you can use IRAP-compliant AWS services to build cloud applications that work with Australian Government information. However, because not all AWS cloud services and resources are IRAP-eligible, using cloud components that fail to comply with the IRAP regulations can raise concerns about the security and privacy of the processed data and eventually lead to penalties.

References

• AWS Documentation
• AWS Compliance Programs
• AWS Services in Scope by Compliance Program
• Information Security Registered Assessors Program (IRAP)
• Shared Responsibility Model

• Amazon Elastic File System

• AWS Blog(s)

• AWS awarded PROTECTED certification in Australia
• New Australian IRAP FAQ and Hub Page