We’re celebrating the addition of 31 new services in scope with our latest SOC report, pushing AWS past the century mark for the first time – with 104 total services in scope, to be exact! These services are now available under our System and Organizational Controls (SOC) 1, 2, and 3 audits, including the 31 new services added during this most recent audit cycle. These SOC reports are now available to you on demand in the AWS Management Console. The SOC 3 report can also be downloaded online as a pdf.
The SOC 2 report has been updated to align with the new Association of International Certified Professional Accountants (AICPA) Trust Service Criteria. The new Trust Service Criteria align with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 framework and are designed to provide flexibility that better addresses cybersecurity risks. The new Trust Service Criteria provide customers with more information on how AWS mitigates cybersecurity risks. Updates related to the new Trust Service Criteria are as follows:
- Restructuring and realignment of the Trust Service Criteria with the COSO 2013 Framework.
- Restructuring and addition of supplemental criteria to better address cybersecurity risks.
- Inclusion of the 17 COSO principles within the SOC 2 common criteria.
- Additional points of focus added to all criteria, such as requirements to add additional description around service commitments and system requirements.
Here are the 31 services newly added to our SOC scope:
- AWS Amplify Console (amplify)
- Amazon WorkLink (worklink)
- AWS RoboMaker (robomaker)
- Amazon CloudWatch (cloudwatch)
- Amazon CloudWatch Events (events)
- AWS CodeDeploy (codedeploy)
- Amazon Comprehend (comprehend)
- AWS Backup (backup)
- Amazon Elastic Container Service for Kubernetes (eks)
- Amazon Elasticsearch Service (es)
- AWS Transfer for SFTP (transfer)
- Amazon FreeRTOS (signer)
- Amazon FSx (fsx)
- AWS Glue (glue)
- AWS IoT Greengrass (greengrass)
- Amazon GuardDuty (guardduty)
- Amazon Kinesis Data Analytics (kinesisanalytics)
- Amazon Kinesis Data Firehose (firehose)
- Amazon Macie (macie)
- AWS Elemental MediaConnect (mediaconnect)
- Amazon Neptune (neptune-db)
- AWS OpsWorks (for Chef Automate and Puppet Enterprise) (opsworks-cm)
- AWS Organizations (organizations)
- AWS Resource Groups (resource-groups)
- AWS Secrets Manager (secretsmanager)
- AWS Server Migration Service (SMS) (sms)
- AWS Serverless Application Repository (serverlessrepo)
- AWS DataSync (datasync)
- Amazon Translate (translate)
- AWS Global Accelerator (globalaccelerator)
- AWS Security Hub (securityhub)
As always, my team strives to bring services into the scope of our compliance programs based on your architectural and regulatory needs. Please reach out to your AWS representatives to let us know what additional services you would like to see in scope across any of our compliance programs.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.
from AWS Security Blog