Ensure that AWS services used within your account are PROTECTED-compliant in order to meet regulatory requirements when it comes to working with highly sensitive government workloads inside AWS Asia Pacific (Sydney) region. Amazon Web Services (AWS) has recently received PROTECTED certification from the Australian Cyber Security Centre (ACSC) for 42 cloud services. The PROTECTED certification represents the highest data security attestation available in Australia for cloud service providers (CSPs) on the Certified Cloud Services List (CCSL). With this new certification, public sector agencies and organizations can easily store, process and transmit their most highly sensitive workloads within Sydney region. The certified AWS services (currently 42 services) are all available in the Asia-Pacific Sydney region (i.e. ap-southeast-2) and cover cloud service categories such as compute, network, database, storage, security, application integration, analytics, management and governance. This means that cloud customers can take advantage of all the security benefits implemented by Amazon Web Services without having to pay premium, as these services are available at current public prices, or needing to modify their existing cloud applications or environments. The PROTECTED certification awarded to AWS makes it easier for Australian government agencies and organizations to leverage cloud services and resources. For example, Digital Transformation Agency is already using Amazon Web Services to deliver cloud.gov.au, a secure cloud-based platform for hosting web applications that helps government-based agencies in Australia to build digital services easier. Amazon Web Services provides several resources to help you begin building PROTECTED-compliant application in cloud. The Australian Cyber Security Centre Consumer Guide and AWS IRAP PROTECTED Reference Architecture are currently available to AWS customers by using Amazon Artifact, a self-service portal for on-demand access to compliance reports and resources, to help you build compliant applications with AWS. To allow you to dive deep into the AWS security approach to PROTECTED, the IRAP Certification Report, ACSC Certification Report and ACSC Certification Letter reports are also available for access on Amazon Artifact.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
As an Australian public sector agency and an AWS customer who makes use of cloud services and resources to store and process sensitive workloads (in this case government data), you can rely on Amazon Web Services infrastructure as this is PROTECTED-compliant. However, because security and compliance is a shared responsibility between AWS and its customers, you should carefully consider the AWS services that you choose to build your application, as your responsibilities vary depending on the cloud services used, the integration of those services into your application environment, and Australian laws and regulations. For that reason, your organization can become compliant using only PROTECTED-eligible cloud services and resources. To achieve and maintain PROTECTED compliance, ensure that only the following AWS services are used to store, process or transmit unclassified government data within AWS Sydney region:
Rationale
PROTECTED is the highest data security certification available in Australia for cloud service providers (CSPs) and AWS provides the highest number of PROTECTED services (42 certified services in Asia-Pacific Sydney region) of any public cloud provider available today. This offers public sector agencies the assurance that these services meet stringent Australian government security requirements. As Amazon Web Services is certified to manage protected Australian government data, you can find AWS on the Australian Cyber Security Centre (ACSC) Certified Cloud Services List (CCSL) as PROTECTED for cloud services such as Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), AWS Lambda, AWS Key Management Service (KMS) and Amazon GuardDuty. AWS provides the necessary security controls to satisfy the PROTECTED security requirements, so that you can use compliant cloud services to build applications that work with Australian government unclassified information. Because not all AWS cloud services and resources are PROTECTED-eligible, using cloud components that fail to comply with the PROTECTED regulations can raise concerns about the security and privacy of the government data used and expose your organization to legal actions.
References
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Check for PROTECTED Compliance
Risk level: High