SOC Report Overview
System and Organization Controls (SOC) Reports are third party reports that explain how compliance controls and objectives are achieved. AWS provides a number of security programs and certifications, that AWS clients are able to take advantage of. SOC reports detail the security controls that organizations have configured for the organization and their technologies. Companies are able to leverage Amazon’s SOC2 reports to build SOC2 Compliant applications.
Organization’s that manage client infrastructure, such as Infrastructure-as-a-service (IaaS) providers that provide physical security and monitoring to companies may find clients requesting SOC2 compliance credentials. Teams that utilize AWS SOC controls will be able to utilize will be less responsible for these specific controls when building a SOC2 report from an auditing firm.
AWS SOC1, SOC2, and SOC3 Security Program
AWS issues SOC 1, SOC 2, and SOC3 Reports twice a year covering six month periods. AWS SOC reports are apply to a wide range AWS services. You can see the AWS services in the scope of AWS SOC reports at this link. AWS SOC Reports detail the following topics:
SOC1: A description of the AWS control environment and external audit of AWS defined controls and objectives
SOC 2: Security, Availability & Confidentiality: A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria
SOC 2: Privacy: A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Privacy Principle and Criteria
SOC 3: Security, Availability & Confidentiality: Public facing report demonstrating AWS has met the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria
AWS Available SOC Reports
When completing a security assessment, HIPAA risk assessment or similar, organizations may ask for a copy of the latest SOC reports from partners and vendors. AWS customers, inherit Amazon’s SOC reports when utilizing AWS services under the scope of SOC.
The following SOC reports are available from Amazon Web Services:
AWS SOC 1 Report, available to AWS customers from AWS Artifact.
AWS SOC 2 Security, Availability & Confidentiality Report, available to AWS customers from AWS Artifact.
AWS SOC 2 Security, Availability & Confidentiality Report available to AWS customers from AWS Artifact(scope includes Amazon DocumentDB only).
AWS SOC 2 Privacy Type I Report, available to AWS customers from AWS Artifact.
AWS SOC 3 Security, Availability & Confidentiality Report, publicly available as a whitepaper.
SOC Reports and HIPAA
SOC reports are helpful for . Healthcare organizations are typically looking for vendors to provide the latest SOC reports for their infrastructure/cloud provider. AWS makes it easy to share this information with the correct team members.
AWS also provides a HIPAA security program and a business associates agreement (BAA) that covers a set of HIPAA-eligible AWS services. HIPAA compliance in AWS follows a shared responsibility model and it is the client’s responsibility to ensure that they are managing their AWS infrastructure in a HIPAA compliant manner. SOC reports are one tool to go along with client security controls in building an organization’s security program. See how Dash helps automate HIPAA compliance in AWS.