Amazon Web Services completes CCAG 2022 pooled audit by European FSI customers

by Manuel Mazarredo , Andreas Terwellen , and Julian Herlinghaus | on

We are excited to announce that Amazon Web Services (Amazon Web Services) has completed its annual Collaborative Cloud Audit Group (CCAG) Cloud Community audit with European financial service institutions (FSIs).

Security at Amazon Web Services is the highest priority. As customers embrace the scalability and flexibility of Amazon Web Services, we are helping them evolve security, identity, and compliance into key business enablers. At Amazon Web Services, we are obsessed with earning and maintaining customer trust, and providing our FSI customers and their regulatory bodies with the assurance that Amazon Web Services has the necessary controls in place to protect their most sensitive material and regulated workloads. The Amazon Web Services Compliance Program helps customers understand the robust controls that are in place at Amazon Web Services. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, Amazon Web Services Compliance helps customers to set up and operate in an Amazon Web Services security control environment.

An example of how Amazon Web Services supports customers’ risk management and regulatory efforts is our annual audit engagement with the CCAG. For the fourth year, the CCAG pooled audit thoroughly assessed the Amazon Web Services controls that enable us to help protect our customers’ data and material workloads, while satisfying strict European and national regulatory obligations. CCAG currently represents more than 50 leading European FSIs and has grown steadily since its inception in 2017. Given the importance of cloud computing for the operations of FSI customers, the financial industry is coming under greater regulatory scrutiny. Similar to prior years, the CCAG 2022 audit was conducted based on customers’ right to conduct an audit of their service providers under European Banking Authority (EBA) outsourcing recommendations to cloud service providers (CSPs) . The EBA suggests using pooled audits to use audit resources more efficiently and to decrease the organizational burden on both the clients and the CSP. Figure 1 illustrates the improved cost-effectiveness of pooled audits as compared to individual audits.

Figure 1: Efforts and costs are shared and reduced when a collaborative approach is followed

Figure 1: Efforts and costs are shared and reduced when a collaborative approach is followed

CCAG audit process

Although there are many security frameworks available, CCAG uses the Cloud Controls Matrix (CCM) of the Cloud Security Alliance (CSA) as the framework of reference for their CSP audits. The CSA is a not-for-profit organization with a mission , as stated on its website, to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.” CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider.

Between February and December 2022, CCAG audited the Amazon Web Services controls environment by following a hybrid approach, remotely and onsite in Seattle (USA), Dublin (IRL), and Frankfurt (DEU). For the scope of the 2022 CCAG audit, the participating auditors assessed Amazon Web Services measures with regards to (1) keeping customer data sovereign, secure, and private , (2) effectively managing threats and vulnerabilities, (3) offering a highly available and resilient infrastructure , (4) preventing and responding rapidly to security events, and (5) enforcing strong authentication mechanisms and strict identity and access management constraint conditions to grant access to resources only under the need-to-know and need-to-have principles.

The scope of the audit encompassed individual services provided by Amazon Web Services, and the policies, controls, and procedures for (and practice of) managing and maintaining them. Customers will still need to have their auditors assess the environments they create by using these services, and their policies and procedures for (and practices of) managing and maintaining these environments, on their side of the shared responsibility lines of demarcation for the Amazon Web Services services involved.

CCAG audit results

CCAG members expressed their gratitude to Amazon Web Services for the audit experience:

“The Amazon Web Services Security Assurance team provided CCAG auditors with the needed logistical and technical assistance, by navigating the Amazon Web Services organization to find the required information, performing advocacy of the CCAG audit rights, creating awareness and education, as well as exercising constant pressure for the timely delivery of information.”

The results of the CCAG pooled audit are available to the participants and their respective regulators only, and provide CCAG members with assurance regarding the Amazon Web Services controls environment, enabling members to work to remove compliance blockers, accelerate their adoption of Amazon Web Services services, and obtain confidence and trust in the security controls of Amazon Web Services.


If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact Amazon Web Services Support .

Want more Amazon Web Services Security news? Follow us on Twitter .

Manuel Mazarredo

Manuel Mazarredo

Manuel is a security audit program manager at Amazon Web Services based in Amsterdam, the Netherlands. Manuel leads security audits, attestations, and certification programs across Europe, and is responsible for the BeNeLux area. For the past 18 years, he has worked in information systems audits, ethical hacking, project management, quality assurance, and vendor management across a variety of industries.

Andreas Terwellen

Andreas Terwellen

Andreas is a senior manager in security audit assurance at Amazon Web Services, based in Frankfurt, Germany. His team is responsible for third-party and customer audits, attestations, certifications, and assessments across Europe. Previously, he was a CISO in a DAX-listed telecommunications company in Germany. He also worked for different consulting companies managing large teams and programs across multiple industries and sectors.

Julian Herlinghaus

Julian Herlinghaus

Julian is a Manager in Amazon Web Services Security Assurance based in Berlin, Germany. He leads third-party and customer security audits across Europe and specifically the DACH region. He has previously worked as Information Security department lead of an accredited certification body and has multiple years of experience in information security and security assurance & compliance.

The mentioned AWS GenAI Services service names relating to generative AI are only available or previewed in the Global Regions. Amazon Web Services China promotes AWS GenAI Services relating to generative AI solely for China-to-global business purposes and/or advanced technology introduction.