Compliance validation for Amazon Secrets Manager - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Compliance validation for Amazon Secrets Manager

Your compliance responsibility when using Secrets Manager is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. Amazon provides the following resources to help with compliance:

Compliance standards

Amazon Secrets Manager has undergone auditing for the following standards and can be part of your solution when you need to obtain compliance certification.

  • HIPAA – Amazon has expanded its Health Insurance Portability and Accountability Act (HIPAA) compliance program to include Amazon Secrets Manager as a HIPAA-eligible service. If you have an executed Business Associate Agreement (BAA) with Amazon, you can use Secrets Manager to help build your HIPAA-compliant applications. Amazon offers a HIPAA-focused whitepaper for customers who are interested in learning more about how they can leverage Amazon for the processing and storage of health information. For more information, see HIPAA Compliance.

  • PIC Participating Organization – Amazon Secrets Manager has an Attestation of Compliance for Payment Card Industry (PCI) Data Security Standard (DSS) version 3.2 at Service Provider Level 1. Customers who use Amazon products and services to store, process, or transmit cardholder data can use Amazon Secrets Manager as they manage their own PCI DSS compliance certification. For more information about PCI DSS, including how to request a copy of the Amazon PCI Compliance Package, see PCI DSS Level 1.

  • ISO – Amazon Secrets Manager has successfully completed compliance certification for ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001. For more information, see ISO 27001, ISO 27017, ISO 27018, ISO 9001.

  • AICPA SOC – System and Organization Control (SOC) reports are independent third-party examination reports that demonstrate how Secrets Manager achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the Amazon controls that are established to support operations and compliance. For more information, see SOC Compliance.

  • FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP Program also provides provisional authorizations for services and regions for East/West and GovCloud to consume government or regulated data. For more information, see FedRAMP Compliance.

  • Department of Defense – The Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) provides a standardized assessment and authorization process for cloud service providers (CSPs) to gain a DoD provisional authorization, so that they can serve DoD customers. For more information, see DoD SRG Resources

  • IRAP – The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC). For more information, see IRAP Resources

  • OSPAR – Amazon Web Services (Amazon) achieved the Outsourced Service Provider’s Audit Report (OSPAR) attestation. Amazon alignment with the Association of Banks in Singapore (ABS) Guidelines on Control Objectives and Procedures for Outsourced Service Providers (ABS Guidelines) demonstrates to customers Amazon commitment to meeting the high expectations for cloud service providers set by the financial services industry in Singapore. For more information, see OSPAR Resources