I'd like information about SOC in the Cloud
AWS SOC Compliance

AWS Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance. There are four types of AWS SOC Reports:



  SOC 1 SOC 2: Security & Availability
SOC 3: Security & Availability
What is the Report? A description of the AWS control environment and external audit of AWS defined controls and objectives A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Security and Availability Principles and Criteria A public facing report demonstrating AWS has met the AICPA Trust Services Security and Availability Principles and Criteria
Under what Standard is the Audit Report Performed? AICPA: AT 801, Reporting on Controls at a Service Organization

AICPA: AT 101, Attest Engagements

AICPA Technical Practice Aid: TSP Section 100, Trust Services Principles, Criteria, and Illustrations

AICPA: AT 101, Attest Engagements
What's the Primary Report Purpose?

To provide information to customers about AWS' control environment that may be relevant to their internal controls over financial reporting

To provide information to customers and their auditors for their assessment and opinion of the effectiveness of internal controls over financial reporting (ICOFR)

To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security and availability To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security and availability without disclosing AWS internal information
Who is the Primary Report Audience? Customer management and their auditors Users with business need Publicly available here
What Period does the AWS Report Cover?

6 Months:

10/1-3/31 and 4/1-9/30

6 Months:

10/1-3/31 and 4/1-9/30

6 Months:

10/1-3/31 and 4/1-9/30

Attestation Standard Section 801 (AT 801) is a standard designed for service organizations (like AWS) to independently report on compliance with policies, procedures and controls. It provides guidance to the auditors who assess AWS as a service organization. The AWS SOC 1 Report is prepared in accordance with AT 801 by our independent service auditors (Ernst & Young, LLP) and provides an assurance report and independent auditor’s opinion on AWS internal controls that may be relevant to a customer’s internal control over financial reporting. AT 801 is issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and supersedes the two prior service organization controls guidance standards for auditors commonly known as SSAE 16 and SAS 70.

The AWS SOC 2 Security & Availability and SOC 3 Security & Availability Reports are prepared in accordance with Attestation Standard Section 101 (AT 101) which is a standard that enables an auditor to report on subject matter other than financial statements based on the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security Availability, Processing Integrity, Confidentiality, or Privacy and Trust Services Principles and Criteria.

Issuing Body Standard Guidance Description Report

Auditing Standard Board (ASB) of the American Institute of Certified Public Accountants (AICPA)

Learn More: www.aicpa.org

Attestation Standard Section 801 (AT 801)

Reporting on Controls at a Service Organization:

This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting.

Learn more: AT 801

SOC 1
Attestation Standard Section 101 (AT 101)

Attest Engagements:

This section establishes a framework for attest engagements and outlines general attestation standards, including examples of examination reports and review reports.

Learn more: AT 101

SOC 2: Security & Availability

SOC 3: Security & Availability

The covered AWS services that are already in scope for the SOC reports can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.

The AWS SOC Reports covers the data centers in the US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US), EU (Ireland), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Seoul), Asia Pacific (Mumbai), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (São Paulo) Regions

The following AWS Edge Locations are also covered by the report, for more information on AWS’ global infrastructure refer here.

  • Melbourne, Australia
  • Sydney, Australia
  • Rio de Janeiro, Brazil
  • São Paulo, Brazil
  • Hong Kong, China
  • London, England
  • Marseille, France
  • Paris, France
  • Frankfurt, Germany
  • Chennai, India
  • Mumbai, India
  • New Delhi, India
  • Dublin, Ireland
  • Milan, Italy
  • Osaka, Japan
  • Tokyo, Japan
  • Seoul, Korea
  • Amsterdam, Netherlands
  • Manila, Philippines
  • Warsaw, Poland
  • Singapore
  • Madrid, Spain
  • Stockholm, Sweden
  • Taipei, Taiwan
  • California, United States
  • Florida, United States
  • Georgia, United States
  • Illinois, United States
  • Indiana, United States
  • Missouri, United States
  • New Jersey, United States
  • New York, United States
  • Texas, United States
  • Virginia, United States
  • Washington, United States

Ernst & Young LLP performs the AWS SOC 1, SOC 2 and SOC 3 audits.

AWS issues two SOC 1, SOC 2, and SOC 3 Reports covering 6-month periods each year (the first report covers October 1 – March 31 and the second report covers April 1 – September 30). New reports are released in mid-May and mid-November.

The AWS SOC 1 Audit is conducted in accordance with International Standards for Assurance Engagements No. 3402 (ISAE 3402). Customers needing an ISAE 3402 Report should request the AWS SOC 1 Type II Report.

An NDA is only required to review the AWS SOC 1 and 2 reports; the AWS SOC 3 report is publicly available here. The AWS SOC 3 report is a summary of the AWS SOC 2 report. It outlines that AWS meets the AICPA’s Trust Security Principles in SOC 2 and includes the external auditor’s opinion of the operation of controls.

The AWS SOC 1 and SOC 2 report is available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports. Get started with AWS Artifact today.

The AWS SOC 3 is publicly available and can be found here.

SOC Resources

 

Contact Us