Check For Non Compliant Soc Aws Services And Resources

Ensure that all services and resources utilized in your AWS account are SOC compliant (i.e. are in scope for SOC reports) in order to allow you and your organization to get extensive insights, also known as SOC reports, into the security processes and controls that protect your customer data. These SOC reports are often leveraged by diverse industries, such as technology, healthcare, banking and financial services. System and Organization Controls (SOC) reports are independent third-party examination reports that demonstrate how Amazon Web Services achieves key compliance controls and objectives. SOC reporting provides a broad range of assurance reporting services to address trust and transparency issues. With both financial and nonfinancial reporting options available, your organization can ensure that applies the right set of controls and communicate vital information to its partners.

There are 3 types of AWS System and Organization Controls (SOC) reports:

SOC 1 – audit controls reports that describe the Amazon Web Services control environment and external audit of AWS defined controls and objectives. The primary purpose of this type of reports is to provide information to customers and their auditors about AWS control environment that may be relevant to their internal controls over financial reporting.

SOC 2 – security, availability and confidentiality reports that describe the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Security, Availability, Confidentiality and Privacy principles. Their purpose is to provide customers and users with an independent assessment of AWS control environment relevant to system security, availability, processing integrity, confidentiality or privacy. The AWS SOC 1 and SOC 2 reports are available to customers by using Amazon Artifact, a self-service portal for on-demand access to AWS compliance reports such as Service Organization Control (SOC) and Payment Card Industry (PCI) reports and online agreements such as Business Associate Addendums (BAAs) and Nondisclosure Agreements (NDAs).

SOC 3 – general controls reporting that demonstrate how AWS has met the AICPA Trust Services Security, Availability and Confidentiality principles, and Criteria. The reports are public-facing and their primary purpose is to provide customers and users with an independent assessment of Amazon Web Services control environment relevant to system security, availability and confidentiality without disclosing AWS internal information. The AWS SOC 3 report is publicly available as whitepaper at this URL.

To stay compliant with this standard, use only the services and resources listed below with applications that are subject to Service Organization Control (SOC) compliance. The following AWS services and resources are already in scope and are reflected in current SOC reports:

SOC 1, 2 and 3

• Amazon Athena
• Amazon Cloud Directory
• Amazon CloudFront
• Amazon CloudWatch Logs
• Amazon Cognito
• Amazon Connect

SOC 2 only

• Amazon DocumentDB (with MongoDB compatibility)
• Amazon DynamoDB
• Amazon Elastic Container Registry
• Amazon Elastic Container Service (both Fargate and EC2 launch types)
• Amazon ElastiCache
• Amazon Elastic Block Store
• Amazon Elastic Compute Cloud (EC2)
• Amazon Elastic File System
• Amazon EMR
• Amazon Glacier
• Amazon Inspector
• Amazon Kinesis Data Streams
• Amazon Kinesis Video Streams
• Amazon MQ
• Amazon Pinpoint
• Amazon Polly
• Amazon QuickSight
• Amazon Redshift
• Amazon Rekognition
• Amazon Relational Database Service (RDS)
• Amazon Route 53
• Amazon SageMaker
• Amazon SimpleDB
• Amazon Simple Email Service
• Amazon Simple Notification Service
• Amazon Simple Queue Service
• Amazon Simple Storage Service (S3)
• Amazon Simple Workflow Service
• Amazon Virtual Private Cloud
• Amazon WorkDocs
• Amazon WorkMail
• Amazon WorkSpaces
• API Gateway
• AWS Auto Scaling
• AWS AppSync
• AWS Batch
• AWS Certificate Manager
• AWS CloudFormation
• AWS CloudHSM
• AWS CloudTrail
• AWS CodeBuild
• AWS CodeCommit
• AWS Config
• AWS Database Migration Service
• AWS Direct Connect
• AWS Directory Service (Excludes Simple Active Directory)
• AWS Elastic Beanstalk
• AWS Firewall Manager
• AWS Identity & Access Management (IAM)
• VM Import/Export (referenced in the SOC report as Amazon Import/Export)
• AWS IoT Core
• AWS IoT Device Management
• AWS Key Management Service
• AWS Lambda
• AWS Managed Services
• AWS OpsWorks
• AWS Service Catalog
• AWS Shield
• AWS Snowball
• AWS Snowball Edge
• AWS Snowmobile
• AWS Step Functions
• AWS Storage Gateway
• AWS Systems Manager
• AWS WAF
• AWS X-Ray
• AWS Elastic Load Balancing

Consult the updated list of covered AWS services that are in scope for SOC reports before you design, create or upgrade your SOC-compliant application environment within your AWS account. An example of non-compliant SOC service is Amazon Glue, a fully managed extract, transform and load (ETL) service extremely useful for analytics, as AWS Glue service and its resources are not compliant at the time of developing this conformity rule. Because these types of AWS resources are not yet SOC-eligible, your organization cannot achieve compliance if does makes use of AWS Glue crawlers, jobs or development endpoints to extract, process and load data that is considered sensitive and requires an extra layer of protection, data such as Personally Identifiable Information (PII) or Sensitive Personal Information (SPI). With that said, Cloud Conformity strongly recommends to terminate any non-compliant SOC resources (e.g. Amazon Glue resources) in order to obtain SOC compliance for your AWS cloud account. To help your organization maintain SOC compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the SOC standard.

Rationale

System and Organization Controls (SOC) reporting can reduce compliance costs and time spent on audits, proactively address risks within your organization, meet contractual obligations through flexible and customized reporting, and increase trust and transparency to internal and external stakeholders. To qualify as a SOC compliant application in AWS cloud, your application must use the AWS services and resources that are reflected in the current SOC reports (i.e. have SOC certification). For example, for SOC 2 certification, Amazon Web Services withstand regular audits to ensure that the requirements of each of the 5 trust principles of SOC 2 (security, availability, processing integrity, confidentiality and privacy) are met and it remains SOC 2-compliant. But according to Shared Responsibility Model the AWS customers have responsibilities too. They assume responsibility for the management of their operating system and associated application software, as well as the configuration of the AWS-provided services and resources. As an AWS customer, you should carefully consider the AWS services and resources chosen, as your responsibilities vary depending on the services that you use for your application stack. Therefore, you and your organization cannot achieve SOC compliance as long as the developed application is using cloud services and resources that are not SOC eligible.

References

• AWS Documentation
• AWS Compliance Programs
• SOC
• AWS Services in Scope by Compliance Program
• AWS Artifact
• AWS Artifact FAQs
• Shared Responsibility Model

• System and Organization Controls 3 (SOC 3) Report

• AWS Blog(s)

• Frequently Asked Questions About HIPAA Compliance in the AWS Cloud
• New SOC 2 Report Available: Privacy
• Fall 2018 SOC reports now available with 73 services in scope
• Spring 2018 AWS SOC Reports are Now Available with 11 Services Added in Scope