AWS Cloud Security

SOC

Overview

AWS System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance. There are three AWS SOC Reports:

AWS SOC 1 Report, available to AWS customers from AWS Artifact.
AWS SOC 2 Security, Availability, Confidentiality, & Privacy Report available to AWS customers from AWS Artifact.
AWS SOC 3 Security, Availability, Confidentiality, & Privacy Report, publicly available as a whitepaper.

AWS SOC Reports

What is the report?

SOC 1
A description of the AWS control environment and external audit of AWS defined controls and objectives.

SOC 2: Security, Availability, Confidentiality, & Privacy
A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Criteria for Security, Availability, Confidentiality, and Privacy

SOC 3: Security, Availability, Confidentiality, & Privacy
A public facing report demonstrating AWS has met the AICPA Trust Services Criteria for Security, Availability, Confidentiality, and Privacy

Under what Standard is the Audit Report Performed?

SOC 1
SSAE No. 18, Attestation Standards: Clarification and Recodification (AICPA, Professional Standards), which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. AICPA Guide, Service Organizations: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®)

SOC 2: Security, Availability, Confidentiality, & Privacy
SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) TSP section 100A, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria)

SOC 3: Security, Availability, Confidentiality, & Privacy
SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements TSP section 100A, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria)

What's the Primary Report Purpose?

SOC 1
To provide information to customers about AWS' control environment that may be relevant to their internal controls over financial reporting.
To provide information to customers and their auditors for their assessment and opinion of the effectiveness of internal controls over financial reporting (ICFR).

SOC 2: Security, Availability, Confidentiality, & Privacy
To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security, availability, confidentiality, and privacy.

SOC 3: Security, Availability, Confidentiality, & Privacy
To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security, availability, confidentiality, and Privacy without disclosing AWS internal information.

Who is the Primary Report Audience?

SOC 1
Customer management and their auditors

SOC 2: Security, Availability, Confidentiality, & Privacy
Users with business need

SOC 3: Security, Availability, Confidentiality, & Privacy
Publicly available here

What Period does the AWS Report Cover?

SOC 1
12 months: ending 3/31, 6/30, 9/30, 12/31

SOC 2: Security, Availability, Confidentiality, & Privacy
12 months: ending 3/31, 9/30

SOC 3: Security, Availability, Confidentiality, & Privacy
12 months:: ending 3/31, 9/30

General FAQs

Open all

Where can I find a SOC Continued Operations Letter (also known as a Bridge Letter)?

The SOC Continued Operations Letter (also known as a Bridge Letter or COL) for the AWS SOC 1 and SOC 2 reports is updated monthly and is available in Artifact (Title: SOC Continued Operations Letter). The COL is generally published in the first week of each month covering the period from the date of the last issued SOC report to the date that the COL is published.

AWS on SOC

Open all

Which AWS services are in scope for the SOC Reports?

The covered AWS services that are already in scope for the SOC reports can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.

Which regions are covered by the AWS SOC Reports?

For a complete list of all in scope regions please refer to the AWS SOC 3 Report.

Who performs the independent third-party audit of AWS for the SOC Reports?

Ernst & Young LLP performs the AWS SOC 1, SOC 2, and SOC 3 audits.

How often are the AWS SOC Reports issued and when can I expect a new report to be released?

AWS publishes SOC 1 reports quarterly and SOC 2 and 3 reports twice per year. Each report covers the previous 12 months. There are many factors that play into the release date of the report, but new reports are generally released approximately 9-10 weeks after the end date of that period.

Spring Cycle: (April 1 - March 31) [SOC 1/2/3 issued approximately late May]
Summer Cycle: (July 1 - June 30) [SOC 1 only issued approximately late August]
Fall Cycle: (October 1 - September 30) [SOC 1/2/3 issued approximately late November]
Winter Cycle: (January 1 - December 31) [SOC 1 only issued approximately late February]

Is there an ISAE 3402 Report?

The AWS SOC 1 Audit is conducted in accordance with International Standards for Assurance Engagements No. 3402 (ISAE 3402). Customers needing an ISAE 3402 Report should request the AWS SOC 1 Type II Report by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

Is a non-disclosure agreement (NDA) required to receive the AWS SOC Reports?

An NDA is required to review the AWS SOC 1 and SOC 2 reports. The AWS SOC 3 report is a publicly available summary of the AWS SOC 2 report. The AWS SOC 3 report outlines how AWS meets the AICPA’s Trust Services Criteria in SOC 2 and includes the external auditor’s opinion of the operation of controls. You can read the latest AWS SOC 3 Report on the AWS website.

How do I request an AWS SOC 1 or SOC 2 Report?

The AWS SOC 1 and SOC 2 are available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

Where can I find the AWS SOC 3 Report?

The latest AWS SOC 3 Report is publicly available on the AWS website.

When will new regions be covered by the SOC Reports?

AWS issues SOC 1 reports quarterly and SOC 2/3 reports twice per year. Each report covers a 12 month period. As appropriate, we will scope in new regions to our SOC reports at the next available review cycle.

SOC