Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for PROTECTED Compliance

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (act today)
Rule ID: MISC-001

Ensure that AWS services used within your account are PROTECTED-compliant in order to meet regulatory requirements when it comes to working with highly sensitive government workloads inside AWS Asia Pacific (Sydney) region.

Amazon Web Services (AWS) has achieved PROTECTED certification from the Australian Cyber Security Centre (ACSC) for 42 cloud services. The PROTECTED certification represents the highest data security attestation available in Australia for cloud service providers (CSPs) on the Certified Cloud Services List (CCSL). With this new certification, public sector agencies and organizations can easily store, process and transmit their most highly sensitive workloads within Sydney region. The certified AWS services (currently 42 services) are all available in the Asia-Pacific Sydney region (i.e. ap-southeast-2) and cover cloud service categories such as compute, network, database, storage, security, application integration, analytics, management and governance. This means that cloud customers can take advantage of all the security benefits implemented by Amazon Web Services without having to pay premium, as these services are available at current public prices, or needing to modify their existing cloud applications or environments. The PROTECTED certification awarded to AWS makes it easier for Australian government agencies and organizations to leverage cloud services and resources. For example, Digital Transformation Agency is already using Amazon Web Services to deliver cloud.gov.au, a secure cloud-based platform for hosting web applications that helps government-based agencies in Australia to build digital services easier. Amazon Web Services provides several resources to help you begin building PROTECTED-compliant application in cloud. The Australian Cyber Security Centre Consumer Guide and AWS IRAP PROTECTED Reference Architecture are currently available to AWS customers by using Amazon Artifact, a self-service portal for on-demand access to compliance reports and resources, to help you build compliant applications with AWS. To allow you to dive deep into the AWS security approach to PROTECTED, the IRAP Certification Report, ACSC Certification Report and ACSC Certification Letter reports are also available for access on Amazon Artifact.

As an Australian public sector agency and an AWS customer who makes use of cloud services and resources to store and process sensitive workloads (in this case government data), you can rely on Amazon Web Services infrastructure as this is PROTECTED compliant. However, because security and compliance is a shared responsibility between AWS and its customers, you should carefully consider the AWS services that you choose to build your application, as your responsibilities vary depending on the cloud services used, the integration of those services into your application environment, and Australian laws and regulations. For that reason, your organization can become compliant using only PROTECTED-eligible cloud services and resources. To achieve and maintain PROTECTED compliance, ensure that only the following AWS services are used to store, process or transmit unclassified government data within AWS Sydney region:

  • Amazon API Gateway
  • Amazon AppFlow
  • Amazon AppStream 2.0
  • Amazon Athena
  • Amazon Augmented AI (excluding Public Workforce and Vendor Workforce)
  • Amazon Aurora
  • Amazon Chime
  • Amazon Cloud Directory
  • Amazon CloudFront
  • Amazon CloudWatch
  • Amazon CloudWatch Events
  • Amazon CloudWatch Logs
  • Amazon Cognito
  • Amazon Comprehend
  • Amazon Comprehend Medical
  • Amazon Connect (excluding Wisdom, VoiceID, and High Volume Outbound Communications)
  • Amazon Detective
  • Amazon DynamoDB
  • Amazon DocumentDB (with MongoDB compatibility)
  • Amazon EC2 Auto Scaling
  • Amazon Elastic Block Store (EBS)
  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Elastic Container Registry (ECR)
  • Amazon Elastic Container Service (ECS)
  • Amazon Elastic File System (EFS)
  • Amazon Elastic Kubernetes Service (EKS)
  • Amazon Elastic MapReduce (EMR)
  • Amazon Elasticache
  • Amazon Forecast
  • Amazon Fraud Detector
  • Amazon FreeRTOS
  • Amazon FSx
  • Amazon GuardDuty
  • Amazon Inspector
  • Amazon Kendra
  • Amazon Keyspaces (for Apache Cassandra)
  • Amazon Kinesis Data Analytics
  • Amazon Kinesis Data Firehose
  • Amazon Kinesis Data Streams
  • Amazon Lex
  • Amazon Macie
  • Amazon Managed Streaming for Apache Kafka (MSK)
  • Amazon MQ
  • Amazon Neptune
  • Amazon OpenSearch Service
  • Amazon Personalize
  • Amazon Pinpoint
  • Amazon Polly
  • Amazon Quantum Ledger Database (QLDB)
  • Amazon QuickSight
  • Amazon Redshift
  • Amazon Rekognition
  • Amazon Relational Database Service (RDS)
  • Amazon Route 53
  • Amazon S3 Glacier
  • Amazon SageMaker (excluding Studio Lab, Public Workforce, and Vendor Workforce)
  • Amazon Simple Email Service (SES)
  • Amazon Simple Notification Service (SNS)
  • Amazon Simple Queue Service (SQS)
  • Amazon Simple Storage Service (S3)
  • Amazon Simple Workflow Service
  • Amazon Textract
  • Amazon Transcribe
  • Amazon Translate
  • Amazon Virtual Private Cloud
  • Amazon WorkDocs
  • Amazon WorkSpaces
  • AWS Amplify
  • AWS AppSync
  • AWS App Mesh
  • AWS Audit Manager
  • AWS Backup
  • AWS Batch
  • AWS Certificate Manager
  • AWS Chatbot
  • AWS Cloud9
  • AWS CloudFormation
  • AWS CloudHSM
  • AWS CloudTrail
  • AWS Cloud Map
  • AWS CodeBuild
  • AWS CodeCommit
  • AWS CodeDeploy
  • AWS CodePipeline
  • AWS Config
  • AWS Control Tower
  • AWS Database Migration Service (DMS)
  • AWS DataSync
  • AWS Data Exchange
  • AWS Direct Connect
  • AWS Directory Service
  • AWS Elastic Beanstalk
  • AWS Elemental MediaConvert
  • AWS Firewall Manager
  • AWS Glue
  • AWS Glue DataBrew
  • AWS Ground Station
  • AWS Identity and Access Management (IAM)
  • AWS IoT Core
  • AWS IoT Device Management
  • AWS IoT Greengrass
  • AWS IoT SiteWise
  • AWS Key Management Service (KMS)
  • AWS Lambda
  • AWS License Manager
  • AWS Managed Services
  • AWS Network Firewall
  • AWS OpsWorks for Chef Automate
  • AWS OpsWorks for Puppet Enterprise
  • AWS Organizations
  • AWS Outposts
  • AWS Personal Health Dashboard
  • AWS Resource Access Manager
  • AWS Resource Groups
  • AWS RoboMaker
  • AWS Secrets Manager
  • AWS Security Hub
  • AWS Server Migration Service (SMS)
  • AWS Serverless Application Repository
  • AWS Service Catalog
  • AWS Shield
  • AWS Single Sign-On (SSO)
  • AWS Snowball Edge
  • AWS Step Functions
  • AWS Storage Gateway
  • AWS Systems Manager
  • AWS Transfer Family
  • AWS Trusted Advisor
  • AWS Web Application Firewall (WAF)
  • AWS X-Ray
  • EC2 Image Builder
  • Elastic Load Balancing (ELB)
  • VM Import/Export
Review the updated list of PROTECTED-eligible AWS services, listed in the IRAP PROTECTED column, before you design, create, modify or upgrade your AWS cloud-based application in ap-southeast-2 (Sydney) region.

An example of non-compliant PROTECTED service is Amazon Opensearch, a fully managed service that makes it easy to deploy, secure and operate Opensearch clusters at scale with zero downtime. And because Amazon Opensearch is not yet PROTECTED-compliant, your cloud application will fail to achieve regulatory compliance as long as is storing, processing or transmitting Australian government data using Opensearch service resources and features. That being said, it is strongly recommended to terminate any non-compliant AWS resource in order to meet PROTECTED compliance requirements within your AWS account. To help you and your organization maintain PROTECTED compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the PROTECTED security requirements.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

PROTECTED is the highest data security certification available in Australia for cloud service providers (CSPs) and AWS provides the highest number of PROTECTED services (42 certified services in Asia-Pacific Sydney region) of any public cloud provider available today. This offers public sector agencies the assurance that these services meet stringent Australian government security requirements. As Amazon Web Services is certified to manage protected Australian government data, you can find AWS on the Australian Cyber Security Centre (ACSC) Certified Cloud Services List (CCSL) as PROTECTED for cloud services such as Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), AWS Lambda, AWS Key Management Service (KMS) and Amazon GuardDuty. AWS provides the necessary security controls to satisfy the PROTECTED security requirements, so that you can use compliant cloud services to build applications that work with Australian government unclassified information. Because not all AWS cloud services and resources are PROTECTED-eligible, using cloud components that fail to comply with the PROTECTED regulations can raise concerns about the security and privacy of the government data used and expose your organization to legal actions.


References

Publication date Feb 4, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for PROTECTED Compliance

Risk Level: High