Logo of Trend Micro

Check for PROTECTED Compliance

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (act today)
Rule ID: MISC-001

Ensure that AWS services used within your account are PROTECTED-compliant in order to meet regulatory requirements when it comes to working with highly sensitive government workloads inside AWS Asia Pacific (Sydney) region. Amazon Web Services (AWS) has recently received PROTECTED certification from the Australian Cyber Security Centre (ACSC) for 42 cloud services. The PROTECTED certification represents the highest data security attestation available in Australia for cloud service providers (CSPs) on the Certified Cloud Services List (CCSL). With this new certification, public sector agencies and organizations can easily store, process and transmit their most highly sensitive workloads within Sydney region. The certified AWS services (currently 42 services) are all available in the Asia-Pacific Sydney region (i.e. ap-southeast-2) and cover cloud service categories such as compute, network, database, storage, security, application integration, analytics, management and governance. This means that cloud customers can take advantage of all the security benefits implemented by Amazon Web Services without having to pay premium, as these services are available at current public prices, or needing to modify their existing cloud applications or environments. The PROTECTED certification awarded to AWS makes it easier for Australian government agencies and organizations to leverage cloud services and resources. For example, Digital Transformation Agency is already using Amazon Web Services to deliver cloud.gov.au, a secure cloud-based platform for hosting web applications that helps government-based agencies in Australia to build digital services easier. Amazon Web Services provides several resources to help you begin building PROTECTED-compliant application in cloud. The Australian Cyber Security Centre Consumer Guide and AWS IRAP PROTECTED Reference Architecture are currently available to AWS customers by using Amazon Artifact, a self-service portal for on-demand access to compliance reports and resources, to help you build compliant applications with AWS. To allow you to dive deep into the AWS security approach to PROTECTED, the IRAP Certification Report, ACSC Certification Report and ACSC Certification Letter reports are also available for access on Amazon Artifact.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

As an Australian public sector agency and an AWS customer who makes use of cloud services and resources to store and process sensitive workloads (in this case government data), you can rely on Amazon Web Services infrastructure as this is PROTECTED-compliant. However, because security and compliance is a shared responsibility between AWS and its customers, you should carefully consider the AWS services that you choose to build your application, as your responsibilities vary depending on the cloud services used, the integration of those services into your application environment, and Australian laws and regulations. For that reason, your organization can become compliant using only PROTECTED-eligible cloud services and resources. To achieve and maintain PROTECTED compliance, ensure that only the following AWS services are used to store, process or transmit unclassified government data within AWS Sydney region:

Government Data within AWS Sydney

Amazon API Gateway

Amazon CloudFront

Amazon CloudWatch

Amazon CloudWatch Logs

Amazon Cognito

Amazon DynamoDB

Amazon EC2 Container Service (ECS)

Amazon Elastic Block Store (EBS)

Amazon Elastic Compute Cloud (EC2)

Amazon Elastic MapReduce (EMR)

Amazon Elasticache

Amazon Glacier

Amazon GuardDuty

Amazon Inspector

Amazon Kinesis Data Firehose

Amazon Kinesis Data Streams

Amazon Redshift

Amazon Relational Database Service (RDS)

Amazon S3 Transfer Acceleration

Amazon Simple Notification Service (SNS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Simple Workflow Service

Amazon Virtual Private Cloud (VPC)

Amazon WorkDocs

Amazon WorkSpaces

AWS Auto Scaling

AWS CloudFormation

AWS CloudHSM

AWS CloudTrail

AWS Config

AWS Direct Connect

AWS Directory Service

AWS Elastic Load Balancing (ELB)

AWS Identity and Access Management (IAM)

AWS Key Management Service (KMS)

AWS Lambda

AWS Lambda@Edge

AWS Step Functions

AWS Systems Manager (SSM)

AWS Web Application Firewall (WAF)

AWS Web Application Firewall (WAF) Regional

Review the updated list of PROTECTED-eligible AWS services before you design, create, modify or upgrade your AWS cloud-based application in ap-southeast-2 (Sydney) region.

An example of non-compliant PROTECTED service is Amazon ElasticSearch, a fully managed service that makes it easy to deploy, secure and operate ElasticSearch clusters at scale with zero downtime. Because Amazon ElasticSearch is not yet PROTECTED-compliant, your cloud application will fail to achieve regulatory compliance as long as is storing, processing or transmitting Australian government data using ElasticSearch service resources and features. That being said, it is strongly recommended to terminate any non-compliant AWS resource in order to meet PROTECTED compliance requirements within your AWS account. To help you and your organization maintain PROTECTED compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the PROTECTED security requirements.

Rationale

PROTECTED is the highest data security certification available in Australia for cloud service providers (CSPs) and AWS provides the highest number of PROTECTED services (42 certified services in Asia-Pacific Sydney region) of any public cloud provider available today. This offers public sector agencies the assurance that these services meet stringent Australian government security requirements. As Amazon Web Services is certified to manage protected Australian government data, you can find AWS on the Australian Cyber Security Centre (ACSC) Certified Cloud Services List (CCSL) as PROTECTED for cloud services such as Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), AWS Lambda, AWS Key Management Service (KMS) and Amazon GuardDuty. AWS provides the necessary security controls to satisfy the PROTECTED security requirements, so that you can use compliant cloud services to build applications that work with Australian government unclassified information. Because not all AWS cloud services and resources are PROTECTED-eligible, using cloud components that fail to comply with the PROTECTED regulations can raise concerns about the security and privacy of the government data used and expose your organization to legal actions.

References

Publication date Feb 4, 2019

Related PROTECTED rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for PROTECTED Compliance

Risk level: High