Amazon Web Services: Risk and Compliance AWS Whitepaper
The AWS organizational structure provides a framework for planning, executing, and controlling
business operations. The organizational structure includes roles and responsibilities to provide
for adequate staffing, efficiency of operations, and the segregation of duties. Management
has also established appropriate lines of reporting for key personnel. The company’s hiring
verification processes include validation of education, previous employment, and, in some cases,
background checks as permitted by law and regulation for employees commensurate with the
employee’s position and level of access to AWS facilities. The company follows a structured on-
boarding process to familiarize new employees with Amazon tools, processes, systems, policies,
and procedures.
Control environment and automation
AWS implements security controls as a foundational element to manage risk across the
organization. The AWS control environment is comprised of the standards, processes, and
structures that provide the basis for implementing a minimum set of security requirements across
AWS.
While processes and standards included as part of the AWS control environment stand on their
own, AWS also leverages aspects of Amazon’s overall control environment. Leveraged tools include:
• Tools used across all Amazon businesses, such as the tool that manages separation of duties
• Certain Amazon-wide business functions, such as legal, human resources, and finance
In instances where AWS leverages Amazon’s overall control environment, the standards and
processes governing these mechanisms are tailored specifically for the AWS business. This means
that the expectations for their use and application within the AWS control environment may differ
from the expectations for their use and application within the overall Amazon environment. The
AWS control environment ultimately acts as the foundation for the secure delivery of AWS service
offerings.
Control automation is a way for AWS to reduce human intervention in certain recurring processes
comprising the AWS control environment. It is key to effective information security control
implementation and associated management of risks. Control automation seeks to proactively
minimize potential inconsistencies in process execution that might arise due to the flawed nature
of humans conducting a repetitive process. Through control automation, potential process
deviations are eliminated. This provides increased levels of assurance that a control will be applied
as designed.
Control environment and automation 7