October 26, 2017

We, as management of, Amazon Web Services, Inc. (AWS) are responsible for designing, implementing and maintaining effective controls over the Amazon Web Services System (System) to provide reasonable assurance that the commitments and system requirements related to the operation of the system are achieved.

There are inherent limitations in any system of internal controls, such as the possibility of human error and the circumvention of controls. Because of inherent limitations in Security controls, an entity may achieve reasonable, but not absolute, assurance that security events are prevented and, for those that are not prevented, detected on a timely basis. Examples of inherent limitations in an entity’s Security’s controls include the following:

  • Vulnerabilities in information technology components as a result of design by the manufacturer or developer
  • Ineffective controls at a vendor or business partner
  • Persistent attackers with the resources to use advanced technical means and sophisticated social engineering techniques specifically targeting the entity

We have performed an evaluation of the effectiveness of the controls over the System throughout the period April 1, 2017, to September 30, 2017, to achieve the commitments and System requirements related to the operation of the System using the criteria for security, availability, and confidentiality (Control Criteria) set forth in the AICPA’s TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Based on this evaluation, we assert that the controls were effective throughout the period April 1, 2017, to September 30, 2017, to provide reasonable assurance that:

  • the System was protected against unauthorized access, use, or modification to achieve Amazon Web Services’ commitments and System requirements
  • the System was available for operation and use, to achieve Amazon Web Services’ commitments and System requirements
  • the System information was collected, used, disclosed, and retained to achieve Amazon Web Services’ commitments and system requirements based on the Control Criteria.

Our attached description of the boundaries of the Amazon Web Services System identifies the aspects of the Amazon Web Services System covered by our assertion.

Amazon Web Services Management