Security and Compliance for Australia and New Zealand
Learn how organisations are keeping their data secure and meeting their local compliance standards across Australia and New Zealand (ANZ).
Security is a top priority at Amazon Web Services
Customers in Australia and New Zealand use the AWS Cloud to store confidential data, process sensitive transactions and build critical services. Choose AWS’s world-class infrastructure and benefit from AWS’s secure and resilient environment to protect your information and build applications that enable your business. Learn about Australia and New Zealand’s data privacy and security compliance requirements from our Security and Privacy Knowledge Hub for Australia and New Zealand, and see how AWS can help you meet or exceed your security goals.
Stay up-to-date
What is AWS security in Australia and New Zealand?
Watch our quick 3-minute video to learn more about AWS security in Australia and New Zealand.
AWS achieves Strategic Hosting Provider certification
AWS has achieved Strategic Hosting Provider certification under the Australian Government’s Hosting Certification Framework (HCF), which means government agencies can continue to innovate at a rapid pace and be confident that AWS meets the government’s requirements to support the secure management of government systems and data.
2024 H2 IRAP report is now available on AWS Artifact for Australian customers
We are excited to announce that a new Information Security Registered Assessors Program (IRAP) report (2024 H2) is now available through AWS Artifact. The new IRAP report includes an additional six AWS services, as well as the new AWS Melbourne Region, that are now assessed at the PROTECTED level under IRAP. This brings the total number of services assessed at the PROTECTED level to 164.
Blog: Now Open — AWS Asia Pacific (Melbourne) Region in Australia
The AWS Asia Pacific (Melbourne) Region is the second infrastructure Region in Australia, in addition to the Asia Pacific (Sydney) Region, bringing the total number of Regions in Asia Pacific to fourteen.
Data privacy in Australia and New Zealand
Australia Data Privacy
The Australian Privacy Principles (APPs) set out in the Australian Privacy Act 1988 (Cth) impose requirements for collecting, managing, dealing with, using, disclosing and otherwise handling personal information. The APPs set out data protection principles to protect the privacy of individuals.
New Zealand Data Privacy
New Zealand, like most countries, has enacted legislation that enables New Zealand law enforcement and government security bodies to seek access to information, including the New Zealand Security Intelligence Service Act 1969 and the Government Communications Security Bureau.
Data privacy FAQs
AWS gives you ownership and control over your content through simple, powerful tools that allow you to determine where your content will be stored, secure your content in transit and at rest, and manage your access to AWS services and resources for your users.
Meet your local compliance goals
Using AWS in the context of Australian privacy considerations
This whitepaper focuses on typical questions asked by AWS customers when they are considering the implications of the Australian Privacy Act on their use of AWS services to store or process content containing personal information.
 
 
                      Using AWS in the context of New Zealand privacy considerations
Thisdocument provides information to assist customers who want to use AWS to store or process content containing personal information, in the context of key privacy considerations and the New Zealand Privacy Act 2020 (NZ).
 
 
                      AWS Compliance
Learn more about our compliance offerings and the benefits of using AWS to meet standards around the globe.
 
 
                      Meeting government compliance requirements
Information Security Registered Assessors Program (IRAP) PROTECTED Program
AWS Cloud services have been assessed by an independent IRAP assessor against applicable ISM controls. The assessment examined the security controls of Amazon’s people, process, and technology. This assessment provides assurance that in respect of these products AWS has in place the applicable controls required for Australian government workloads at the PROTECTED level. For more information, you can also go to AWS Artifact to access the IRAP PROTECTED pack from the most recent assessment.
Meeting financial services compliance requirements
Australian Prudential Regulation Authority (APRA)
Learn about the legal and regulatory requirements in Australia and New Zealand that may apply to AWS financial institution customer's use of AWS services.
Hear from our local customers
Commonwealth Bank
The Commonwealth Bank (CBA) is Australia's leading provider of integrated financial services. CBA’s purpose is to improve the financial well-being of customers and communities. CBA offers products and services in retail banking, insurance, investing and superannuation, business, and institutional banking. CBA’s priorities are to lead Australia’s recovery and transition, reimagine products and services, deliver global best digital experiences and technology, and have simpler, better foundations.
CBA has been using AWS since the launch of the AWS Sydney Region in 2012. CBA extensively uses AWS services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon GuardDuty, AWS Security Hub, and AWS Shield. CBA has collaborated with AWS Professional Services since 2017 to build their first and second generation AWS Cloud platform to securely build, host, and operate their public website, mobile banking app, wealth management portal, retail share trading web application, and, most recently, their open banking solution.
"Cybersecurity is a team sport, and it’s important to us that we partner with organisations that have a strong security culture,” explains Keith Howard, CBA’s CISO. “In partnering with AWS, we are able to use a suite of sophisticated cloud native security services to intelligently protect our customers in real time. We also value the global access to AWS service teams and deep security and risk specialists who support us to continuously optimise our capabilities."
 
 
                      Australia Post
Australia Post is a government business enterprise (GBE) that’s completely self-funded with both commercial and community service obligations.
In 2018, the organisation experienced account and role proliferation in their AWS environments leading to challenges in applying security governance, privilege escalation risks, and strain on operation teams who needed to manually configure roles and privileges in every AWS account. The AWS Professional Services team helped conduct a full security review and risk assessment in the environment. Following this, Australia Post launched the Security Uplift Program to address governance at scale. This includes the delivery of a DevSecOps pipeline, consolidation of roles and privileges and an automated solution using serverless architecture to auto provision federated AWS Identity and Access Management (IAM) roles to Identity Provider and assignment to active directory groups.
"We want to make security as invisible to the developers as possible. We don’t want them to have to think about security; it should just happen. We’re paying $5 a month to run a process that’s going to remediate any violations against your security policy within 30 to 45 seconds. We’re talking about 30 to 45 seconds to remediate a particular condition, and that is magnitudes better than what we’d be able to achieve if we were using a more traditional approach. If we were trying to tackle these sorts of things without the help of automation, we might be talking about hours, days, weeks to remediate. And the reality is you’ve got a repeatable process here, and you’re going to get that same remediation and that same level of service every single time. Using AWS native tools is very important to help us get that improved coverage. Our compliance levels are through the roof, and it’s easy to track that. If you went out and bought a product that does this it would cost thousands of dollars per month. Now we are doing over 70,000 checks a month, and growing, and it costs us $5 per month. We can keep adding to this and the costs only go up a tiny little bit.” – Steven Stojanovski, Head of Security, Education, and Culture, and Jason Gorringe, Manager of Cloud Services, Australia Post, 2019.
 
 
                      KINNECT
Founded in 1996, KINNECT is one of the leading privately owned occupational health companies in Australia. KINNECT is the only company in this space to have developed their own SaaS platform, Carelever. Carelever enables companies to effectively manage their people’s occupational health in real time with preventative services (pre-employment assessments), injury management (returning injured people back to work) and health surveillance (monitoring the ongoing health of their people). KINNECT’s deep discipline specific knowledge of people’s health allows them to innovate with their clients to enable technology enabled occupational health solutions.
Carelever wanted to minimise all operational overhead and they did not wish to spend time patching and managing their underlying infrastructure. As such, they leverage services such as Amazon Elastic Container Service (ECS) and AWS Certificate Manager (ACM). Also requiring auditability and governance, KINNECT leverage AWS CloudTrail for an immutable audit log of all of their API calls, and AWS Config for governance over their environment. Finally, they use AWS WAF (Web Application Firewall) to protect their web application from layer 7 attacks, and AWS CloudFormation to ensure consistent deployments across environments
"Confidential healthcare data needs not only a highly secure and safe environment but an efficient one too," says Kevin Conlon, Chief Executive and founder of Carelever. "Since 2012 when we started our journey with AWS, the solutions they've provided us are world-class. Moreover, the team has taken the time to really understand our business needs and really helped us to create a scalable, secure and robust platform. We are delighted to count AWS as one of our integral partners."
 
 
                      nib
nib Group (nib) is a trusted international health partner, empowering their members to make better decisions and improve health outcomes through greater accessibility to affordable health services and information. nib have a mission and vision of people enjoying better health. Through its success, nib aspires to more prosperous and sustainable communities, not only the creation of enterprise value.
nib achieved a major milestone in the Australian cloud technology landscape with the successful migration of the system of record for their corporate health insurance business. The health insurer’s number one priority has always been to ensure the security of its members’ information. They worked hard to create strong security controls and supporting documentation for adhering to and maintaining the standards demanded by the regulator, as well as their own privacy policy. To achieve this, nib uses a number of AWS security services, including AWS Key Management Service (AWS KMS) to manage cryptographic keys and encrypt their data, AWS Secrets Manager to protect and rotate their passwords and other credentials, and Amazon GuardDuty to monitor their AWS environment for suspicious or malicious activity.
"We are an international organisation so we come under both local and global regulatory compliance which means ensuring we meet the expectations of a range of regulators. That’s why we use AWS Trusted Advisor and the Well Architected Framework as it gives us independent guidance on what our maturity and capability looks like,” Wayne Bozza, Head of Cyber Security – nib Group
 
 
                      Canva
Canva's mission is clear: empower everyone in the world to design anything and to publish anywhere. Millions across the globe use the company’s online design services to create social media graphics, presentations, posters, documents, and other visual content.
To complement their already strong security posture, Canva worked with AWS Professional Services to build a cloud-based cyber activity data lake. The approach provides new threat detection and digital investigation capabilities. Within the data lake, Amazon Elasticsearch Service (now Amazon OpenSearch Service) indexes big datasets and allows Canva to store vast amounts of historical data to facilitate the analysis of past cyber activity. Other key components include AWS Glue to extract and transform the data, Amazon Kinesis Data Streams to analyze the data, and Amazon S3 to maintain the datase.
"We have better security situational awareness thanks to AWS Professional Services. We know in real time what is currently going on and what has transpired,” says Moe Abbas, cloud platform lead for Canva.
 
 
                      AWS Cloud infrastructure in Australia and New Zealand
Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to meet the most stringent security requirements in the world, our infrastructure is monitored 24/7 to help with the confidentiality, integrity, and availability of your data. We automatically encrypt all data flowing across the AWS global network that interconnects our data centers and Regions at the physical layer before it leaves our secured facilities.
Australia and New Zealand Regions and edge locations
AWS customers choose the AWS Region(s) in which their content is stored. AWS will not move or replicate your content outside of your chosen AWS Region(s) without your consent, except in each case as necessary to comply with the law or a binding order of a governmental body. Choose the AWS Region(s) that are appropriate for your need.
AWS Region in Sydney, Australia
With an AWS Region in Sydney, Australia, AWS customers in Australia can now enjoy fast, low-latency access to the suite of AWS infrastructure services. We also have an edge location for Amazon Route 53 and Amazon CloudFront in Sydney.
AWS Region in Melbourne, Australia
The Asia Pacific (Melbourne) region is now open with three Availability Zones. In addition to the Asia Pacific (Sydney) Region, there are already seven CloudFront Edge locations in Australia, backed by a Regional edge cache in Sydney.
CloudFront edge location in New Zealand
In New Zealand, our two new edge locations in Auckland will provide viewers as much as a 50 percent reduction in p90 latency measures. These new edge locations are priced within CloudFront’s Australia geographic region.
Global Infrastructure
The AWS Global Infrastructure is the most secure, extensive, and reliable cloud platform, offering over 200 fully featured services from data centers globally.
Global topics
CLOUD Act
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is an update to United States law that clarifies the geographic scope for United States law enforcement requests and provides new means for services providers to challenge requests that conflict with another country's laws or national interests.
General Data Protection Regulation (GDPR) centre
The European Union’s General Data Protection Regulation (GDPR) protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.
Security & Privacy Knowledge Hub
Open allWhat is the AWS Security and Privacy Knowledge Hub?
The new AWS Security and Privacy Knowledge Hub for Australia and New Zealand (ANZ) contains resources to help AWS customers build the right data security posture and processes so they can maintain the highest security standards as they innovate and grow.
The new website contains Australia and New Zealand specific resources, including the latest news on security and privacy in ANZ, viewpoints and opinions from AWS security experts and other leaders, and security and privacy reference materials. It also includes stories about Australian and New Zealand companies running secure workloads on AWS, cyberskills training, and certification advice.
Why is AWS launching the AWS Security and Privacy Knowledge Hub now?
At AWS, security is our highest priority. We believe it’s critical that organisations understand the best and most secure ways to use cloud technology, and have the right security posture and processes in place to maintain the highest security standards. This is why we are excited to announce the new AWS Security and Privacy Knowledge Hub for Australia and New Zealand.
Cloud is providing organisations across Australia and New Zealand with the flexibility to adapt quickly, and scale their digital presence up or down in response to consumer demand. We expect to see cloud adoption continue to accelerate as organisations of all sizes realise the agility, operational, financial, and innovation advantages of moving to the cloud. For organisations to fully harness the benefits of the digital economy, it’s important they remain vigilant on the security of technology systems, and protect the privacy of information they store.
AWS Security and Compliance
Open allIs AWS secure?
Yes. At AWS, security is our highest priority. AWS has been built to be the most flexible and secure cloud computing environment available today. Our world-class core infrastructure is built to satisfy the security requirements for military, global banks, and other high-sensitivity organisations. AWS uses the same secure hardware and software to build and operate each of our regions, so all of our customers benefit from the only commercial cloud that has had its service offerings and associated supply chain vetted and accepted as secure enough for top-secret workloads. This is backed by a deep set of cloud security tools, with more than 230 security, compliance, and governance services and key features.
There are hundreds and thousands of active customers using AWS services in Australia and New Zealand each month, including those running highly secure workloads on AWS. Some examples include the Commonwealth Bank of Australia (CBA), the National Bank of Australia (NAB), Bank of New Zealand, nib insurance, the Commonwealth Scientific Industrial Research Organisation (CSIRO), Origin Energy, Trustpower, Telstra, Vodafone New Zealand, Australian Securities and Investments Commission (ASIC), New Zealand Ministry of Health, and the Australian Taxation Office (ATO).
Further to this, 97 AWS services have been assessed at PROTECTED level, the highest Australian government data classification attainable for public cloud services.
If the cloud is secure by default, why does AWS need to invest in education initiatives to support security?
Security and compliance is a shared responsibility between AWS and the customer. AWS is responsible for the security and compliance 'of' the cloud, and implements security controls to secure the underlying infrastructure that runs the AWS services and hosts and connects customer resources.AWS customers are responsible for security of their applications 'in' the cloud and should determine, design, and implement the appropriate security controls based on the sensitivity of their data, their security and compliance needs, and the AWS services they select.
We are committed to providing access to the latest information and training materials to educate our customers on best practices of security in the cloud.
Can you guarantee the U.S. law enforcement will not have access to data stored in AWS through the CLOUD Act?
The CLOUD Act does not grant law enforcement agencies unfettered access to data stored in the cloud. The CLOUD Act’s scope is to enable U.S. law enforcement to seek evidence about U.S. crimes, namely, a crime affecting a U.S. citizen or a crime committed in the United States. AWS also provides industry leading encryption and key management services that give our customers a range of options to encrypt data, and to manage encryption/decryption keys. Content that has been encrypted is rendered useless without the applicable decryption keys. As with all services built on AWS, the customer always owns and controls the data.
How does AWS secure its data centres?
AWS data centres are secure by design and our controls make that possible. Before AWS builds a data centre, we spend countless hours considering potential threats and designing, implementing, and testing controls to ensure the systems, technology, and people we deploy counteract risk. To help customers to fulfill their own audit and regulatory requirements, AWs provides insight into some of our physical and environmental controls here.
Customer data and support
Open allDoes AWS have access to customer data?
AWS does not access or use customer content for any purpose without a customer’s consent. AWS never uses customer content or derives information from it for marketing or advertising. Customers maintain full control of their content and responsibility for configuring access to AWS services and resources. AWS provides an advanced set of access, encryption, and logging features to help customers do this effectively. We provide Application Programming Interfaces (APIs) for customers to configure access control permissions for any of the services they develop or deploy in an AWS environment.
Will AWS move its customers’ data?
AWS will not move or replicate customer content of the customers’ chosen AWS Region(s) without their consent, except in each case as necessary to comply with the law or a binding order of a governmental body. AWS customers choose the AWS Region(s) in which their content is stored and the type of storage. Customers can replicate and back up their content in more than one AWS Region.
How has the pandemic impacted security for AWS and its customers?
The rapid increase in work from home arrangements has forced companies and consumers to quickly adopt new technologies, placing pressure on organisations to ensure that they are still meeting their security requirements, with less time to review technology. The introduction of new technology systems is also driving an increased focus on training and security within organisations.
Many of our customers have also shared with us that moving their workforce to home for the first time has blended consumer technologies with corporate data; for companies that didn’t already have virtual desktop infrastructure or widely rolled out corporate laptops (or corporate images on personal devices), some parts of the workforce have had to share computers with children going to school online. This increased the need to focus on more of the workforce being located outside the traditional network boundary and decide how to handle the access to data from a wider range of devices and locations.
We are committed to helping organisations understand the best and most secure ways to use cloud technology, and ensure they have the right security posture and processes in place to maintain the highest security standards.
What measures does AWS provide to customers to protect their data?
AWS customers inherit the latest security controls operated by AWS, strengthening their own compliance and certification programs, while also receiving access to tools they can use to reduce time to run their own specific security assurance requirements. These measures include:
- Control. Customers have ownership and control over their content through simple, powerful tools that enable them to determine where their content will be stored, secure their content in transit and at rest, and manage user access to their AWS services and resources.
- Strong encryption. AWS has industry leading encryption services that give customers a range of options to encrypt data in-transit and at rest, and to manage encryption and decryption keys – because encrypted content is rendered useless without the applicable decryption keys.
- Compliance programs. AWS supports more security standards and compliance certifications than any other offering, including IRAP, PCI-DSS, HIPAA/HITECH, GDPR, FIPS 140-2, and NIST 800-171, helping satisfy compliance requirements for virtually every regulatory agency around the globe, including in Australia and New Zealand.
- Contractual protections. AWS never accesses or uses customer content for any purpose except as agreed by customers.
- Information request safeguards. AWS will not disclose customer content unless required to do so to comply with the law or a binding order of a government body. When AWS receives a request for data, we have tools to challenge it and a long track record of doing so. AWS will give customers reasonable notice of any government requests to disclose their content to allow them to seek a protective order or other appropriate remedy, unless AWS is legally prohibited from doing so. AWS informs customers about the types and volume of information requests we receive.
What training is AWS providing to build cyberskills?
AWS is an enabler and driver of economic growth, but we aren’t just helping organisations to innovate and grow, we are helping them build skills and capability to keep up with change and help ensure they maintain the highest levels of security in the cloud.
Recent research commissioned by AWS and conducted by AlphaBeta also reveals cybersecurity will be one of the top five in demand skills across Asia-Pacific by 2025. The new AWS Security and Privacy Knowledge Hub for Australia and New Zealand is part of our ongoing commitment to invest in education and initiatives that support our customers, partners, and industry to improve their skills so they can unlock the full potential of the cloud. The new AWS Security and Privacy Knowledge Hub for Australia and New Zealand is all about building knowledge, capability, and security skills through local information, expert advice, and practical resources.
AWS is committed to addressing the skills gap in Australia and New Zealand and continues to provide individuals and organisations the latest in education and training for individuals to develop and enhance their security skills and address critical cybersecurity needs in their organisations. AWS Training and Certification offers over 40 courses, self-paced labs, an AWS Certified Security – Specialty certification, and other resources to raise everyone’s security competence in IT and security departments. These training offerings are designed for a broad range of learners, such as DevOps engineers, cloud architects, solutions architects, developers, compliance personnel, auditors, IT business analysts, or existing security engineers looking to improve their knowledge.
What support does AWS provide to customers in the event of a privacy breach?
Given. that customers maintain control of their content when using AWS, customers retain the responsibility to monitor their own environment for privacy breaches and to notify regulators and affected individuals as required under applicable law. Only the customer is able to manage this responsibility
Customers can also choose to leverage AWS Identity Services, enabling them to securely manage identities, resources, and permissions at scale. For applications running on AWS, customers can use fine-grained access controls to grant employees, applications, and devices the access they need to AWS services and resources within easily deployed governance guardrails. AWS Identity Services provide flexible options for where and how customers manage employee, partner, and customer identities – authentication is performed outside of AWS and customers are responsible for monitoring the use of their identity providers.
Additionally, recent amendments to both the Australian and New Zealand Privacy Acts introduced notifiable privacy breach schemes. These schemes aim to give affected individuals the opportunity to take steps to protect their personal information following a privacy breach.
AWS offers both Australian Notifiable Data Breaches (ANDB) and New Zealand Notifiable Data Breach (NZNDB) addenda to customers who are subject to these Privacy Acts and are using AWS to store and process personal information covered by these privacy breach schemes. These addenda address customers’ need for notification if a security event affects their data. These addenda are offered as two types, either account-only (i.e., applying to a specific AWS account) or AWS Organization (i.e., applying to the management and all member accounts in an AWS Organization).
These addenda are available online as click-through agreements in AWS Artifact, which is a customer-facing audit and compliance portal that can be accessed from the AWS Management Console. In AWS Artifact, customers can review and activate the relevant addendum for those AWS accounts used to store and process personal information covered by these privacy breach schemes.