Transcription

c10526819c34SOC 2 REPORT – TYPE 23-System and Organization Controls 2 (SOC 2) Type 2 Report-990Description of the Amazon Web Services SystemRelevant to Security, Availability, and Confidentiality57f3eed6-7f3e-4a60For the Period October 1, 2017 – March 31, 2018Proprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates

c10526819c34Description of the Amazon Web Services System Relevant to Security,Availability, and ConfidentialityTable of ContentsSECTION I – Assertion of Amazon Web Services. 3SECTION II – Independent Service Auditor’s Report . 73-SECTION III – Description of the Amazon Web Services System Relevant to Security, Availability, andConfidentiality . 1290Amazon Web Services System Overview . 13Relevant Aspects of Internal Controls . 15Policies . 15B.Communications . 16C.Procedures . 17D.Monitoring . 4660-9A.Complementary User Entity Controls . 474aSECTION IV – Description of Principles, Criteria, AWS Controls, Tests and Results of Tests . 50Testing Performed and Results of Entity-Level Controls . 51e-Procedures for Assessing Completeness and Accuracy of Information Provided by the Entity (IPE) . 51Trust Services Principles and Related Controls for Systems and Applications . 51f3Information System Control Environment . 52AWS Controls Mapped to the Security, Availability, and Confidentiality Principles and Criterion . 53-7Security, Availability, and Confidentiality Principles and Criterion Mapped to AWS Controls & AuditorTesting Performed and Results . 63d6SECTION V – Other Information Provided By Amazon Web Services . 105Encryption: . 106eeSpring 2018 SOC Control Adjustment Overview . 106APPENDIX – Glossary of Terms . 10857f3Appendix – Glossary of Terms . 109Proprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates

c10526819c34390-957f3eed6-7f3e-4a60SECTION I – Assertion of Amazon Web ServicesProprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates3

c10526819c34Amazon Web Services1918 8th Ave.Seattle, WA 98101Amazon Web Services’ Management AssertionApril 23, 2018We have prepared the accompanying Description of the Amazon Web Services, Inc. (AWS) SystemRelevant to Security, Availability, and Confidentiality (Description) of Amazon Web Services (ServiceOrganization) based on the criteria for a description of a service organization’s system set forth in theDescription Criteria DC section 200A 2015 Description Criteria for a Description of a Service Organization’sSystem in a SOC 2 Report (Description Criteria). The Description is intended to provide users withinformation about the Amazon Web Services System (System) that may be useful when assessing the risksfrom interactions with the System throughout the period October 1, 2017 to March 31, 2018 particularlyinformation about the suitability of design and operating effectiveness of Amazon Web Services’ controlsto meet the criteria related to security, availability, and confidentiality set forth in TSP section 100A, TrustServices Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy(applicable trust services criteria). The System consists of the following services:57f33-AWS IoT CoreAWS Key Management Service (KMS)Amazon Kinesis StreamsAWS LambdaAWS [email protected] Managed ServicesAWS OpsWorks StacksAmazon QuickSightAmazon RedshiftAmazon Relational Database Service (RDS)Amazon Route 53AWS ShieldAmazon Simple Email Service (SES)Amazon Simple Notification Service (SNS)Amazon Simple Queue Service (SQS)Amazon Simple Storage Service (S3)Amazon S3 Transfer AccelerationAmazon Simple Workflow Service (SWF)Amazon SimpleDBAWS SnowballAWS Snowball EdgeAWS SnowmobileAWS Step FunctionsAWS Storage GatewayAmazon Virtual Private Cloud (VPC)VM Import/ExportAWS Web Application Firewall (WAF)Amazon WorkDocsAmazon WorkMailAmazon WorkSpacesAWS X-Ray90 -9604ae-f3-7ee Amazon API GatewayAmazon AthenaAWS Auto ScalingAWS BatchAmazon Cloud DirectoryAWS CloudFormationAmazon CloudFrontAWS CloudHSMAWS CloudTrailAmazon CloudWatch LogsAWS CodeBuildAmazon CognitoAWS ConfigAmazon ConnectAWS Database Migration Service (DMS)AWS Direct ConnectAWS Directory Service for Microsoft ActiveDirectoryAmazon DynamoDBAWS Elastic BeanstalkAmazon Elastic Block Store (EBS)Amazon Elastic Compute Cloud (EC2)Amazon EC2 Container Registry (ECR)Amazon EC2 Container Service (ECS)Amazon EC2 Systems ManagerAmazon Elastic File System (EFS)Elastic Load BalancingAmazon Elastic MapReduce (EMR)Amazon ElastiCacheAmazon GlacierAWS Identity and Access Management (IAM)Amazon Inspectord6 Proprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates4

c10526819c34Amazon Web Services1918 8th Ave.Seattle, WA 98101and their supporting data centers located in the US East (Northern Virginia), US East (Ohio), US West(Oregon), US West (Northern California), AWS GovCloud (US), Canada (Central), Europe (Ireland), Europe(Frankfurt), Europe (London), Europe (Paris), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific(Tokyo), Asia Pacific (Osaka)1, Asia Pacific (Seoul), Asia Pacific (Mumbai), and South America (São Paulo)Regions, as well as the AWS Edge locations in:903-Bengaluru, IndiaChennai, IndiaMumbai, IndiaNew Delhi, IndiaDublin, IrelandMilan, ItalyPalermo, ItalyOsaka, JapanTokyo, JapanSeoul, KoreaKuala Lumpur, MalaysiaAmsterdam, NetherlandsManila, PhilippinesWarsaw, PolandSingaporeCape Town, South AfricaJohannesburg, South AfricaMadrid, SpainStockholm, SwedenZurich, Switzerland-9 60Canberra, AustraliaMelbourne, AustraliaPerth, AustraliaSydney, AustraliaVienna, AustriaRio de Janeiro, BrazilSão Paulo, BrazilMontréal, CanadaToronto, CanadaVancouver, CanadaPrague, Czech RepublicHong Kong, ChinaLondon, EnglandManchester, EnglandHelsinki, FinlandMarseille, FranceParis, FranceBerlin, GermanyFrankfurt, GermanyMunich, Germany Taipei, TaiwanArizona, United StatesCalifornia, United StatesFlorida, United StatesGeorgia, United StatesIllinois, United StatesIndiana, United StatesMassachusetts, United StatesMinnesota, United StatesMissouri, United StatesNevada, United StatesNew Jersey, United StatesNew York, United StatesOhio, United StatesOregon, United StatesPennsylvania, United StatesTexas, United StatesVirginia, United StatesWashington, United States4a f3e-The Description also indicates that certain trust services criteria specified in the Description can be metonly if complementary user entity controls assumed in the design of Amazon Web Services’ controls aresuitably designed and operating effectively, along with related controls at the Service Organization. TheDescription does not extend to controls of user entities.-7We confirm, to the best of our knowledge and belief, that:d6a) The Description fairly presents the System that was designed and implemented throughout theperiod October 1, 2017 to March 31, 2018 in accordance with the description criteria.f3eeb) The controls stated in the Description were suitably designed to provide reasonable assurancethat the applicable trust services criteria would be met, if the controls operated as describedthroughout the period October 1, 2017 to March 31, 2018.571The Asia Pacific (Osaka) Region is a Local Region, which is a new type of region that comprises an isolated, fault-tolerantinfrastructure design located within a single datacenter. The Asia Pacific (Osaka) Local Region consists of one AvailabilityZone and is intended to be used in conjunction with the Asia Pacific (Tokyo) Region. This region requires customersrequest access through a sales representative.Proprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates5

c10526819c34Amazon Web Services1918 8th Ave.Seattle, WA 98101c) The Amazon Web Services controls stated in the description operated effectively throughout theperiod October 1, 2017 to March 31, 2018 to meet the applicable trust services criteria.57f3eed6-7f3e-4a60-9903-Amazon Web Services ManagementProprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates6

c10526819c34390-957f3eed6-7f3e-4a60SECTION II – Independent Service Auditor’s ReportProprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates7

8f3-7d6eef357c10526819c343-90-9604ae-

9f3-7d6eef357c10526819c343-90-9604ae-

10f3-7d6eef357c10526819c343-90-9604ae-

11f3-7d6eef357c10526819c343-90-9604ae-

c10526819c34390-957f3eed6-7f3e-4a60SECTION III – Description of the Amazon Web Services SystemRelevant to Security, Availability, and ConfidentialityProprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates12

Amazon Web Services System Overviewc10526819c34Section III – Description of the Amazon Web Services SystemSince 2006, Amazon Web Services (AWS) has provided flexible, scalable and secure IT infrastructure tobusinesses of all sizes around the world. With AWS, customers can deploy solutions on a cloud computingenvironment that provides compute power, storage, and other application services over the Internet astheir business needs demand. AWS affords businesses the flexibility to employ the operating systems,application programs and databases of their choice.-9604ae-f3-7AWS IoT CoreAWS Key Management Service (KMS)Amazon Kinesis StreamsAWS LambdaAWS [email protected] Managed ServicesAWS OpsWorks StacksAmazon QuickSightAmazon RedshiftAmazon Relational Database Service (RDS)Amazon Route 53Amazon S3 Transfer AccelerationAWS ShieldAmazon Simple Email Service (SES)Amazon Simple Notification Service (SNS)Amazon Simple Queue Service (SQS)Amazon Simple Storage Service (S3)Amazon Simple Workflow Service (SWF)Amazon SimpleDBAWS SnowballAWS Snowball EdgeAWS SnowmobileAWS Step FunctionsAWS Storage GatewayAmazon Virtual Private Cloud (VPC)VM Import/ExportAWS Web Application Firewall (WAF)Amazon WorkDocsAmazon WorkMailAmazon WorkSpacesAWS X-Ray90 57f3ee Amazon API GatewayAmazon AthenaAWS Auto ScalingAWS BatchAmazon Cloud DirectoryAWS CloudFormationAmazon CloudFrontAWS CloudHSMAWS CloudTrailAmazon CloudWatch LogsAWS CodeBuildAmazon CognitoAWS ConfigAmazon ConnectAWS Database Migration Service (DMS)AWS Direct ConnectAWS Directory Service for Microsoft ActiveDirectoryAmazon DynamoDBAmazon EC2 Container Registry (ECR)Amazon EC2 Container Service (ECS)Amazon EC2 Systems ManagerAWS Elastic BeanstalkAmazon Elastic Block Store (EBS)Amazon Elastic Compute Cloud (EC2)Amazon Elastic File System (EFS)Elastic Load BalancingAmazon Elastic MapReduce (EMR)Amazon ElastiCacheAmazon GlacierAWS Identity and Access Management (IAM)Amazon Inspectord6 3-The scope of services covered in this report includes:Proprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates13

c10526819c34Section III – Description of the Amazon Web Services SystemThe scope of locations covered in this report includes the data centers in the US East (Northern Virginia),US East (Ohio), US West (Oregon), US West (Northern California), AWS GovCloud (US), Canada (Central),Europe (Ireland), Europe (Frankfurt), Europe (London), Europe (Paris), Asia Pacific (Singapore), Asia Pacific(Sydney), Asia Pacific (Tokyo), Asia Pacific (Osaka)2, Asia Pacific (Seoul), Asia Pacific (Mumbai), and SouthAmerica (São Paulo) Regions. The following AWS Edge locations are also covered in this report:-9903-Bengaluru, IndiaChennai, IndiaMumbai, IndiaNew Delhi, IndiaDublin, IrelandMilan, ItalyPalermo, ItalyOsaka, JapanTokyo, JapanSeoul, KoreaKuala Lumpur, MalaysiaAmsterdam, NetherlandsManila, PhilippinesWarsaw, PolandSingaporeCape Town, South AfricaJohannesburg, South AfricaMadrid, SpainStockholm, SwedenZurich, Switzerland60 Canberra, AustraliaMelbourne, AustraliaPerth, AustraliaSydney, AustraliaVienna, AustriaRio de Janeiro, BrazilSão Paulo, BrazilMontréal, CanadaToronto, CanadaVancouver, CanadaPrague, Czech RepublicHong Kong, ChinaLondon, EnglandManchester, EnglandHelsinki, FinlandMarseille, FranceParis, FranceBerlin, GermanyFrankfurt, GermanyMunich, Germany Taipei, TaiwanArizona, United StatesCalifornia, United StatesFlorida, United StatesGeorgia, United StatesIllinois, United StatesIndiana, United StatesMassachusetts, United StatesMinnesota, United StatesMissouri, United StatesNevada, United StatesNew Jersey, United StatesNew York, United StatesOhio, United StatesOregon, United StatesPennsylvania, United StatesTexas, United StatesVirginia, United StatesWashington, United States4a Shared Responsibility Environmentf3eed6-7f3e-Moving IT infrastructure to AWS builds a shared responsibility model between customers and AWS. AWSoperates, manages, and controls the components from the host operating system and virtualization layerdown to the physical security of the facilities in which the services operate. In turn, customers assumeresponsibility and management of the guest operating system (including updates and security patches),other associated application software, as well as the configuration of the AWS-provided security groupfirewall. Customers should carefully consider the services they choose as customers’ responsibilities varydepending on the services they use, the integration of those services into their IT environments, andapplicable laws and regulations. It is possible to enhance security and/or meet more stringent compliancerequirements by leveraging technology such as host-based firewalls, host-based intrusiondetection/prevention, and encryption. AWS provides tools and information to assist customers in theirefforts to account for and to validate that controls are operating effectively in their extended ITenvironment. More information can be found on the AWS Compliance center athttp://aws.amazon.com/compliance.572The Asia Pacific (Osaka) Region is a Local Region, which is a new type of region that comprises an isolated, fault-tolerantinfrastructure design located within a single datacenter. The Asia Pacific (Osaka) Local Region consists of one AvailabilityZone and is intended to be used in conjunction with the Asia Pacific (Tokyo) Region. This region requires customersrequest access through a sales representative.Proprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates14

c10526819c34Section III – Description of the Amazon Web Services SystemRelevant Aspects of Internal ControlsAs defined by the American Institute of Certified Public Accountants (AICPA), internal control is a processaffected by an entity’s board of directors, management, and other personnel and consists of fiveinterrelated components:Control Environment – Sets the tone of an organization, influencing the control consciousness ofits people. It is the foundation for all other components of internal control, providing disciplineand structure. Risk Management – The entity’s identification and analysis of relevant risks to achievement of itsobjectives, forming a basis for determining how the risks should be managed. Information and Communication – Surrounding these activities are information andcommunication systems. These enable the entity’s people to capture and exchange informationneeded to conduct and control its operations. Monitoring – The entire process must be monitored, and modifications made as necessary. In thisway, the system can react dynamically, changing as conditions warrant. Control Activities – Control policies and procedures must be established and executed to helpensure that the actions identified by management as necessary to address risks to achievementof the entity’s control objectives are effectively carried out.903- 60-9This section briefly describes the essential characteristics and other interrelated components of internalcontrols over the trust services principles and criteria of security, availability, and confidentiality as theypertain to AWS that may be relevant to customers into four broad areas:4aA. Policies (Control Environment and Risk Management) – The entity has defined and documentedits policies relevant to the particular principles.e-B. Communications (Information and Communication) – The entity has communicated its definedpolicies to responsible parties and authorized users of the system.f3C. Procedures (Control Activities) – The entity has placed in operation procedures to achieveobjectives in accordance with its defined policies.d6A. Policies-7D. Monitoring – The entity monitors the system and takes action to maintain compliance with itsdefined policies.A.1 Control Environment57f3eeAWS is a unit within Amazon.com (Amazon or the Company) that is aligned organizationally around eachof the web services, such as Amazon EC2, Amazon S3, Amazon VPC, Amazon EBS and Amazon RDS. AWSleverages some aspects of Amazon’s overall control environment in the delivery of these web services.The collective control environment encompasses management and employee efforts to establish andmaintain an environment that supports the effectiveness of specific controls.Proprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates15

c10526819c34Section III – Description of the Amazon Web Services SystemThe control environment at Amazon begins at the highest level of the Company. Executive and seniorleadership play important roles in establishing the Company’s core values and tone at the top. Everyemployee is provided with the Company’s Code of Business Conduct and Ethics, which sets guidingprinciples.The AWS organizational structure provides a framework for planning, executing and controlling businessoperations. The organizational structure assigns roles and responsibilities to provide for adequate staffing,efficiency of operations and the segregation of duties. Management has also established authority andappropriate lines of reporting for key personnel. The Company follows a structured on-boarding processto assist new employees as they become familiar with Amazon tools, processes, systems, policies andprocedures.3-The AWS control environment is subject to various internal and external risk assessments. The AWSSecurity team has established an information security framework and regularly reviews and updates thesecurity policy, provides security training to employees and performs application security reviews. Thesereviews assess the availability, confidentiality, and integrity of data, as well as conformance to theinformation security policy. Where necessary, AWS Security leverages the security framework andsecurity policies established and maintained by Amazon Corporate Information Security.-990The GovCloud (US) environment is an AWS region located in the United States (US) that is designed tomaintain physical and logical access controls that limit access by AWS personnel to the AWS Network forthe GovCloud (US) region to US citizens and permanent residents. The AWS control environmentdescribed in this document is applicable to the GovCloud (US) region.60A.2 Risk Management4aAWS maintains a formal risk management program to continually identify, assess, mitigate, report, andmonitor risks. AWS management reviews and evaluates the risks identified in the risk managementprogram at least annually. The risk management program encompasses the following phases:e-1. Identify – These efforts identify technical and business risks to the organization and operations.f32. Assess – The assessment phase evaluates the potential impact(s) of identified risks, the likelihoodof occurrence, and control effectiveness and maturity.-73. Mitigate – Mitigation develops risk treatment plans to control or reduce risk where needed,including the implementation of controls, processes, and other physical and virtual safeguards.d64. Report – Reporting and communication is performed to ensure that risk owners and stakeholders,as well as senior leadership, have visibility into risks to the organization and that there is effectivedecision making around risks.ee5. Monitor – Identified and assessed risks are periodically reviewed, along with any associated riskresponse efforts for the risk, to determine if their state or status has changed.f3B. Communications57AWS has implemented various methods of internal communication at a global level to help employeesunderstand their individual roles and responsibilities and to communicate significant events in a timelymanner. These methods include orientation and training programs for newly hired employees; annualProprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates16

c10526819c34Section III – Description of the Amazon Web Services Systemtraining programs tailored based on employee roles and responsibilities that may include Amazon SecurityAwareness (ASA), Software Developer Engineer (SDE) Bootcamp, ITAR Training, Fraud/Bribery/Foreigncorrupt practices training, and confidentiality training; regular management meetings for updates onbusiness performance and other matters; and electronic means such as video conferencing, electronicmail messages, and the posting of information via the Amazon intranet on topics such as reporting ofinformation security incidents and guidelines describing change management.At the customer level, AWS has also implemented various methods of external communication to supportits customer base and the community. Mechanisms are in place to allow the customer support team tobe notified and to notify customers of potential operational issues that could impact the customerexperience. A Service Health Dashboard is available and maintained by the customer support team toalert customers of issues that may be of broad impact. Details related to security and compliance withAWS can also be obtained on the AWS Security Center and AWS Compliance websites. Customers can alsosubscribe to Premium Support offerings that include direct communication with the customer supportteam and proactive alerts for any customer impacting issues.3-C. Procedures90C.1 Security Organization60-9AWS has an established information security organization managed by the AWS Security team and is ledby the AWS Chief Information Security Officer (CISO). AWS Security establishes and maintains formalpolicies and procedures to delineate standards for logical access on the AWS system and infrastructurehosts. The policies also identify functional responsibilities for the administration of logical access andsecurity. Where applicable, AWS Security leverages the information system framework and policiesestablished and maintained by Amazon Corporate Information Security. Policies are reviewed andapproved on an annual basis by Security Leadership (Control AWSCA 1.1, AWSCA 1.2, AWSCA 1.3).4aAs part of this assessment, the following policies were inspected to verify approval occurred within thelast year:eed6-7f3e-AWS Access Control PolicyAWS Certification, Accreditation, and SecurityAssessmentAWS Configuration Management PolicyAWS Contingency Planning PolicyAWS Data Classification Policy and HandlingAWS Document and Record Retention PolicyAWS Facility Badge Management and Use PolicyAWS Identification and Authentication PolicyAWS Internal Data Backup Policy57f3AWS Internal Password PolicyAWS Internal Privacy PolicyAWS Media Protection PolicyAWS Personnel Security PolicyAWS Physical and Environmental Protection PolicyAWS Risk Assessment PolicyAWS Security Awareness Training PolicyAWS System and Information Integrity PolicyAWS System Maintenance PolicyAWS Third Party Information Sharing PolicyAWS System and Communications ProtectionPolicyGlobal/Security/Policy for Media DestructionSecure Software Development PolicyProprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates17

c10526819c34Section III – Description of the Amazon Web Services SystemAWS has a formal security awareness and training policy that is disseminated via an internal Amazoncommunication portal to all employees. This policy addresses purpose, scope, roles, responsibilities, andmanagement commitment. AWS maintains and provides security awareness training to all informationsystem users on an annual basis (Control AWSCA 1.4).AWS maintains a formal risk management program to continually identify, assess, mitigate, report, andmonitor risks. AWS management reviews and evaluates risks identified in the risk management programat least annually (Control AWSCA 1.5).As a part of AWS’ responsibilities within the shared responsibility model, AWS follows the three lines ofdefense model established by the Institute of Internal Auditors, discussed in The Three Lines of Defensein Effective Risk Management and Control whitepaper. In this model, management control is the first lineof defense, the various risk control and compliance over-sight functions established by management arethe second line of defense, and independent assurance is the third. Each of these lines of defense serve adifferent role. 360-9903-As its third line of defense, AWS employs an Internal Audit function with due professional care toperiodically evaluate risks and assess conformance to AWS security processes. Further, independentassurance is also provided by AWS Compliance teams (such as the Incident Management, VulnerabilityAssessments, penetration testing teams) or by independent third party assessors. These assessors providean independent assessment of risk management content/processes by performing periodic securityassessments and compliance audits or examinations (e.g. SOC, FedRAMP, ISO, PCI audits) to evaluate thesecurity, integrity, confidentiality, and availability of information and resources. AWS management alsocollaborates with Internal Audit to determine the health of the AWS control environment, and leveragesthis information to fairly present the assertions made within the report.4aC.2 Employee User Accesse-Procedures exist so that Amazon employee and contractor user accounts are added, modified, or disabledin a timely manner and are reviewed on a periodic basis. In addition, password configuration settings foruser authentication to AWS systems are managed in compliance with Amazon’s Corporate PasswordPolicy.d6-7f3AWS has established formal policies and procedures to delineate standards for logical access to AWSsystems and infrastructure hosts. Where permitted by law, AWS requires that all employees undergo abackground investigation commensurate with their position and level of access. The policies also identifyfunctional responsibilities for the administration of logical access and security.Account Provisioningf3eeThe responsibility for provisioning employee and contractor access is shared across Human Resources(HR), Corporate Operations, and Service Owners.573 https://na.theiia.org/standards-guidance/Public Documents/PP The Three Lines of Defense in Effective Risk Managementand Control.pdfProprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates18

c10526819c34Section III – Description of the Amazon Web Services SystemA standard employee or contractor account with minimum privileges is provisioned in a disabled statewhen a hiring manager submits his or her new employee or contractor onboarding request in Amazon’sHR system. The account is automatically enabled after the employee’s record is activated in Amazon’s HRsystem. First time passwords are set to a unique value and are required to be changed on first use (ControlAWSCA 2.1).Access to other resources including Services, Hosts, Network devices, and Windows and UNIX groups isexplicitly approved in Amazon’s proprietary permission management system by the appropriate owner ormanager. Requests for changes in access are captured in the Amazon permissions management tool auditlog. When changes in an employee’

SOC Proprietary and Confidential Information - Trade Secret 2018 Amazon.com, Inc. or its affiliates System and Organization Controls 2 (SOC 2) Type 2 Report Description of the Amazon Web Services System Relevant to Security, Availability, and Confidentiality For the Period October 1, 2