How should the company respond to the auditor’s request?
Open an AWS Support ticket to request that the AWS technical account manager (TAM) respond and help the auditor.
Open an AWS Support ticket to request that the auditor receive approval to conduct an onsite assessment of the AWS data centers in which the company operates.
Explain to the auditor that AWS does not need to be audited because the company’s application is hosted in multiple Availability Zones.
Use AWS Artifact to download the applicable report for AWS security controls. Provide the report to the auditor.
Explanations:
Opening a support ticket to involve the AWS technical account manager (TAM) does not directly address the auditor’s request for certification details. The TAM may assist in navigating AWS services but is not responsible for providing security audit certifications.
Requesting approval for the auditor to conduct an onsite assessment of AWS data centers is unnecessary and impractical. AWS has its own compliance and audit processes, and third-party audits of their data centers are typically not permitted for customer auditors.
Stating that AWS does not need to be audited because the application is hosted in multiple Availability Zones is misleading. Each customer is responsible for ensuring their use of AWS meets compliance and security standards, and AWS resources must still be evaluated.
Using AWS Artifact to download applicable reports for AWS security controls is the correct response. AWS Artifact provides access to compliance documentation and reports, which are necessary for the auditor to evaluate AWS’s security and compliance posture.
In my opinion, the answer is:
Use AWS Artifact to download the applicable report for AWS security controls. Provide the report to the auditor.