ACSC certifies Amazon Web Services to host protected data

MEDIA RELEASE – 24 January 2019

ACSC certifies Amazon Web Services to host protected data

The Australian Cyber Security Centre (ACSC) has certified Amazon Web Services (AWS) for hosting Australian Government data classified up to the PROTECTED classification level, providing assurance to Australian Government agencies that AWS complies with Australian Government security requirements.

‘Amazon Web Services joins other providers on the Certified Cloud Services List (CCSL) that meet stringent Australian Government security requirements for hosting PROTECTED data,’ said Alastair MacGibbon, Head of the ACSC.

‘The certification decision covers workloads in the AWS Asia Pacific (Sydney) Region.’

The ACSC Certification Report details the residual risks, non-compliance with the Information Security Manual (ISM) mitigations, and guidance for Australian organisations considering using the company’s services. A copy of the report can be requested from AWS.

The CCSL certification process is based on principles and policies defined in Australia’s Protective Security Policy Framework (PSPF) and ISM.

The ACSC recommends that organisations considering third-party solutions built on ACSC certified cloud services perform their own independent security assessment, certification and accreditation activities to determine if the solution or service meets their business and security needs.

‘It’s important to remember that third-party solutions built on ACSC Certified Cloud Services do not automatically inherit ACSC certification, and must be listed separately on the CCSL,’ Mr MacGibbon added.

‘The ACSC does not assess third-party solutions and therefore cannot confirm if their security meets Australian Government standards.’

Cloud technology is in huge demand, and in line with that, the ACSC is reviewing its programs to continue lifting cyber security standards across the whole of the Australian economy. It’s another way we are making Australia the safest place to live, work and play online.

The ACSC certification includes the following AWS services, 42 at PROTECTED and 4 at Unclassified DLM:

Amazon EMR (PROTECTED)

Amazon Inspector (PROTECTED)

Amazon API Gateway (PROTECTED)

Amazon Kinesis Data Streams (PROTECTED)

AWS Key Management Service (PROTECTED)

AWS Step Functions (PROTECTED)

Amazon Kinesis Data Firehose (PROTECTED)

AWS CloudHSM (PROTECTED)

Amazon Simple Notification Service (SNS) (PROTECTED)

Amazon WorkSpaces (PROTECTED)

AWS WAF Regional (PROTECTED)

Amazon Simple Queue service (SQS) (PROTECTED)

Amazon WorkDocs (PROTECTED)

AWS WAF (PROTECTED)

Amazon Simple Workflow Service (SWF) (PROTECTED)

Amazon Simple Storage Service (S3) (PROTECTED)

AWS Shield (Unclassified DLM)

Amazon VPC (PROTECTED)

Amazon S3 Transfer Acceleration (PROTECTED)

Amazon GuardDuty (PROTECTED)

AWS Direct Connect (PROTECTED)

Amazon Elastic Block Store (EBS) (PROTECTED)

AWS Organizations (Unclassified DLM)

Amazon CloudFront (PROTECTED)

Amazon S3 Glacier (PROTECTED)

Amazon CloudWatch(PROTECTED)

Amazon Route 53 (Unclassified DLM)

Amazon DynamoDB (PROTECTED)

CloudWatch Logs (PROTECTED)

Amazon EC2 (PROTECTED)

Amazon Redshift (PROTECTED)

AWS CloudFormation (PROTECTED)

Amazon Elastic Container Service (PROTECTED)

Amazon RDS (PROTECTED)

AWS CloudTrail (PROTECTED)

Elastic Load Balancing (PROTECTED)

Amazon ElastiCache (PROTECTED)

AWS Config (PROTECTED)

AWS Lambda (PROTECTED)

AWS Identity and Access Management (IAM) (PROTECTED)

AWS Systems Manager (PROTECTED)

Lambda

/Public Release.