AWS

Security configuration baseline for AWS accounts. Covers IAM, storage, logging, monitoring, networking. 40+ automated checks available via AWS Security Hub.

Defines IaaS: "The consumer is able to deploy and run arbitrary software... has control over operating systems, storage, and deployed applications." AWS operates under the shared responsibility model where AWS secures the infrastructure and customers secure their workloads.

§5.3.6: "Keys should have a limited cryptoperiod to limit the amount of data protected by a single key." §8.1.5: "Key establishment provides cryptographic keys to entities that will use them for cryptographic operations." AWS KMS implements these requirements with automatic key rotation and secure key generation.

NIST SP 800-144 Executive Summary: "Carefully plan the security and privacy aspects of cloud computing solutions before engaging them." §3.2: "Assurances furnished by the cloud provider to support security or privacy claims should be verified whenever possible through independent assessment." §4.7: "Organizations should employ appropriate safeguards to protect data in transit and at rest." §4.5: "Identity and access management requires establishing trust in user identities and controlling access to resources based on the authenticated identity." §4.2: "Cloud computing has significant implications for the security of organizational data, regardless of which service model is used."

NIST SP 800-125B §3.1: "Virtual networks must provide traffic isolation equivalent to physically separate networks." §4.1: "Segmentation should be based on the sensitivity of data handled and the trust level of workloads." §4.3: "Deny-by-default policies should be implemented where traffic is blocked unless explicitly allowed." AWS VPC security groups and NACLs implement these virtual network segmentation requirements.

Official AWS security best practices framework. Design principles for identity, detection, infrastructure protection, data protection, and incident response.

US government cloud security guidance applicable to AWS deployments. Covers shared responsibility, identity federation, and logging requirements.

CCM IVS (Infrastructure & Virtualization Security): "Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections." CCM IAM (Identity & Access Management): "User access shall be authorized through a formal access request process." CCM LOG (Logging & Monitoring): "Logging and monitoring shall be enabled within an organization." AWS services map to 17 CCM domains covering cloud security best practices. Source: CSA Cloud Controls Matrix v4.0.

SOC 2 CC6.6: "The entity implements logical access security measures to protect against threats from sources outside its system boundaries." CC6.7: "The entity restricts the transmission, movement, and removal of information to authorized internal and external users." CC7.1: "To meet its objectives, the entity uses detection and monitoring procedures." AWS implements infrastructure controls aligned with SOC 2 Common Criteria requirements. Source: AICPA TSC-NIST Mapping.

ISO 27001:2022 A.5.23: "Information security requirements for cloud services shall be established." A.8.22: "Networks shall be segregated from each other based on types of information services." A.8.15: "Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analyzed." AWS security features support ISO 27001 cloud security requirements. Source: NIST OLIR Informative Reference Catalog.