Compliance validation for Amazon Secrets Manager

Your compliance responsibility when using Secrets Manager is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. Amazon provides the following resources to help with compliance:

Security and Compliance Quick Start Guides Security and Compliance Quick Start Guides – These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on Amazon.
Architecting for HIPAA Security and Compliance Whitepaper – This whitepaper describes how companies can use Amazon to create HIPAA-compliant applications.
Amazon Compliance Resources – This collection of workbooks and guides might apply to your industry and location.
Amazon Config assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations. For more information, see Monitor Amazon Secrets Manager secrets for compliance by using Amazon Config.
Amazon Security Hub provides a comprehensive view of your security state within Amazon that helps you check your compliance with security industry standards and best practices. For information about using Security Hub to evaluate Secrets Manager resources, see Amazon Secrets Manager controls in the Amazon Security Hub User Guide.
IAM Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity to access a secret. For more information, see Previewing access with Access Analyzer.
Amazon Systems Manager provides predefined runbooks for Secrets Manager. For more information, see Systems Manager Automation runbook reference for Secrets Manager.
You can download third-party audit reports using Amazon Artifact. For more information, see Downloading Reports in Amazon Artifact.

Compliance standards

Amazon Secrets Manager has undergone auditing for the following standards and can be part of your solution when you need to obtain compliance certification.

HIPAA – Amazon has expanded its Health Insurance Portability and Accountability Act (HIPAA) compliance program to include Amazon Secrets Manager as a HIPAA-eligible service. If you have an executed Business Associate Agreement (BAA) with Amazon, you can use Secrets Manager to help build your HIPAA-compliant applications. Amazon offers a HIPAA-focused whitepaper for customers who are interested in learning more about how they can leverage Amazon for the processing and storage of health information. For more information, see HIPAA Compliance.
PIC Participating Organization – Amazon Secrets Manager has an Attestation of Compliance for Payment Card Industry (PCI) Data Security Standard (DSS) version 3.2 at Service Provider Level 1. Customers who use Amazon products and services to store, process, or transmit cardholder data can use Amazon Secrets Manager as they manage their own PCI DSS compliance certification. For more information about PCI DSS, including how to request a copy of the Amazon PCI Compliance Package, see PCI DSS Level 1.
ISO – Amazon Secrets Manager has successfully completed compliance certification for ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001. For more information, see ISO 27001, ISO 27017, ISO 27018, ISO 9001.
AICPA SOC – System and Organization Control (SOC) reports are independent third-party examination reports that demonstrate how Secrets Manager achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the Amazon controls that are established to support operations and compliance. For more information, see SOC Compliance.
FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP Program also provides provisional authorizations for services and regions for East/West and GovCloud to consume government or regulated data. For more information, see FedRAMP Compliance.
Department of Defense – The Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) provides a standardized assessment and authorization process for cloud service providers (CSPs) to gain a DoD provisional authorization, so that they can serve DoD customers. For more information, see DoD SRG Resources
IRAP – The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC). For more information, see IRAP Resources
OSPAR – Amazon Web Services (Amazon) achieved the Outsourced Service Provider’s Audit Report (OSPAR) attestation. Amazon alignment with the Association of Banks in Singapore (ABS) Guidelines on Control Objectives and Procedures for Outsourced Service Providers (ABS Guidelines) demonstrates to customers Amazon commitment to meeting the high expectations for cloud service providers set by the financial services industry in Singapore. For more information, see OSPAR Resources

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Monitor Secrets Manager costs

Security in Secrets Manager