This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

# AWS Quality Management System
<a name="aws-quality-management-system"></a>

 Life Science customers with obligations under GxP requirements need to ensure that quality is part of manufacturing and controls during the design, development and deployment of their GxP-regulated product. This quality assurance includes an appropriate assessment of cloud service suppliers, like AWS, to meet the obligations of your quality system. 

 For a deeper description of the AWS Quality Management System, you may use AWS [Artifact](https://aws.amazon.com/artifact/) to access additional documents under NDA. Below, AWS provides information on some of the concepts and components of the AWS Quality System of most interest to GxP customers like you. 

**Topics**
+ [Quality Infrastructure and Support Processes](quality-infrastructure-and-support-processes.md)
+ [Software Development](software-development.md)

# Quality Infrastructure and Support Processes
<a name="quality-infrastructure-and-support-processes"></a>

## Quality Management System Certification
<a name="quality-management-system-certification"></a>

 AWS has undergone a systematic, independent examination of our quality system to determine whether the activities and activity outputs comply with ISO 9001:2015 requirements. A certifying agent found our quality management system (QMS) to comply with the requirements of ISO 9001:2015 for the activities described in the scope of registration. 

 The AWS quality management system has been certified to ISO 9001 since 2014. The reports cover six month periods each year (April-September / October-March). New reports are released in mid-May and mid-November. To see the AWS ISO 9001 registration certification, certification body information as well as date of issuance and renewal, please see the information on the ISO 9001 AWS compliance program website: [https://aws.amazon.com/compliance/iso-9001-faqs/](https://aws.amazon.com/compliance/iso-9001-faqs/). 

 The certification covers the QMS over a specified scope of AWS services and Regions of operations. If you are pursuing ISO 9001:2015 certification while operating all or part of your IT systems in the AWS cloud, you are not automatically certified by association, however, using an ISO 9001:2015 certified provider like AWS can make your certification process easier. 

 AWS provides additional detailed information on the quality management system accessible within AWS Artifact via customer accounts in the AWS console ([https://aws.amazon.com/artifact/](https://aws.amazon.com/artifact/)). 

## Software Development Approach
<a name="software-development-approach"></a>

 AWS’s strategy for design and development of AWS services is to clearly define services in terms of customer use cases, service performance, marketing and distribution requirements, production and testing, and legal and regulatory requirements. The design of all new services or any significant changes to current services are controlled through a project management system with multi-disciplinary participation. Requirements and service specifications are established during service development, taking into account legal and regulatory requirements, customer contractual commitments, and requirements to meet the confidentiality, integrity and availability of the service in alignment with the quality objectives established within the quality management system. Service reviews are completed as part of the development process, and these reviews include evaluation of security, legal and regulatory impacts and customer contractual commitments. 

 Prior to launch, each of the following requirements must be complete: 
+  Security Risk Assessment 
+  Threat modeling 
+  Security design reviews 
+  Secure code reviews 
+  Security testing 
+  Vulnerability/penetration testing 

 AWS implements open source software or custom code within its services. All open source software to include binary or machine-executable code from third-parties is reviewed and approved by the Open Source Group prior to implementation, and has source code that is publicly accessible. AWS service teams are prohibited from implementing code from third parties unless it has been approved through the open source review. All code developed by AWS is available for review by the applicable service team, as well as AWS Security. By its nature, open source code is available for review by the Open Source Group prior to granting authorization for use within Amazon.  

## Quality Procedures
<a name="quality-procedures"></a>

 In addition to the software, hardware, human resource and real estate assets that are encompassed in the scope of the AWS quality management system supporting the development and operations of AWS services, it also includes documented information including, but not limited to source code, system documentation and operational policies and procedures. 

 AWS implements formal, documented policies and procedures that provide guidance for operations and information security within the organization and the supporting AWS environments. Policies address purpose, scope, roles, responsibilities and management commitment. All policies are maintained in a centralized location that is accessible by employees.  

## Project Management Processes
<a name="project-management-processes"></a>

 The design of new services or any significant changes to current services follow secure software development practices and are controlled through a project management system with multi-disciplinary participation. 

## Quality Organization Roles
<a name="quality-organization-roles"></a>

 AWS Security Assurance is responsible for familiarizing employees with the AWS security policies. AWS has established information security functions that are aligned with defined structure, reporting lines, and responsibilities. Leadership involvement provides clear direction and visible support for security initiatives.  

 AWS has established a formal audit program that includes continual, independent internal and external assessments to validate the implementation and operating effectiveness of the AWS control environment. 

 AWS maintains a documented audit schedule of internal and external assessments. The needs and expectations of internal and external parties are considered throughout the development, implementation, and auditing of the AWS control environment. Parties include, but are not limited to: 
+  AWS customers, including current customers and potential customers. 
+  External parties to AWS including regulatory bodies such as the external auditors and certifying agents. 
+  Internal parties such as AWS services and infrastructure teams, security, and overarching administrative and corporate teams. 

## Quality Project Planning and Reporting
<a name="quality-project-planning-and-reporting"></a>

 The AWS planning process defines service requirements, requirements for projects and contracts, and ensures customer needs and expectations are met or exceeded. Planning is achieved through a combination of business and service planning, project teams, quality improvement plans, review of service-related metrics and documentation, self-assessments and supplier audits, and employee training. The AWS quality system is documented to ensure that planning is consistent with all other requirements. 

 AWS continuously monitors service usage to project infrastructure needs to support availability commitments and requirements. AWS maintains a capacity planning model to assess infrastructure usage and demands at least monthly, and usually more frequently. In addition, the AWS capacity planning model supports the planning of future demands to acquire and implement additional resources based upon current resources and forecasted requirements. 

## Electronics Records and Electronic Signatures
<a name="electronics-records-and-electronic-signatures"></a>

 In the United States (US), GxP regulations are enforced by the US Food and Drug Administration (FDA) and are contained in Title 21 of the Code of Federal Regulations (21 CFR). Within 21 CFR, Part 11 contains the requirements for computer systems that create, modify, maintain, archive, retrieve, or distribute electronic records and electronic signatures in support of GxP-regulated activities (and in the EU, EudraLex - Volume 4 - Good Manufacturing Practice (GMP) guidelines – Annex 11 Computerised Systems). Part 11 was created to permit the adoption of new information technologies by FDA-regulated life sciences organizations, while simultaneously providing a framework to ensure that the electronic GxP data is trustworthy and reliable. 

 There is no GxP certification for a commercial cloud provider such as AWS. AWS offers commercial off-the-shelf (COTS) IT services according to IT quality and security standards such as [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/), [ISO 27017](https://aws.amazon.com/compliance/iso-27017-faqs/), [ISO 27018](https://aws.amazon.com/compliance/iso-27018-faqs/), [ISO 9001](https://aws.amazon.com/compliance/iso-9001-faqs/), [NIST 800-53](https://blogs.aws.amazon.com/security/post/Tx115XWF9J5G4MM/Need-NIST-Compliance-in-the-AWS-Cloud-AWS-Compliance-Has-You-Covered-NIST-800-17) and many others. GxP-regulated life sciences customers, like you, are responsible for purchasing and using AWS services to develop and operate your GxP systems, and to verify your own GxP compliance, and compliance with 21 CFR 11. 

 This document, used in conjunction with other AWS resources noted throughout, may be used to support your electronic records and electronic signatures requirements. A further description of the shared responsibility model as it relates to your use of AWS services in alignment with 21 CFR 11 can be found in the Appendix. 

## Company Self-Assessments
<a name="company-self-assessments"></a>

 AWS Security Assurance monitors the implementation and maintenance of the quality management system by performing verification activities through the AWS audit program to ensure compliance, suitability, and effectiveness of the quality management system. The AWS audit program includes self-assessments, third party accreditation audits, and supplier audits. The objective of these audits are to evaluate the operating effectiveness of the AWS quality management system. Self-assessments are performed periodically. Audits by third parties for accreditation are conducted to review the continued performance of AWS against standards-based criteria and to identify general improvement opportunities. Supplier audits are performed to assess the supplier’s potential for providing services or material that conform to AWS supply requirements. AWS maintains a documented schedule of all assessments to ensure implementation and operating effectiveness of the AWS control environment to meet various objectives. 

## Contract Reviews
<a name="contract-reviews"></a>

 AWS offers Services for sale under a standardized customer agreement that has been reviewed to ensure the Services are accurately represented, properly promoted, and fairly priced. Please contact your account team if you have questions about AWS service terms. 

## Corrective and Preventative Actions
<a name="corrective-and-preventative-actions"></a>

 AWS takes action to eliminate the cause of nonconformities within the scope of the quality management system, in order to prevent recurrence. The following procedure is followed when taking corrective and preventive actions: 

1.  Identify the specific nonconformities; 

1.  Determine the causes of nonconformities; 

1.  Evaluate the need for actions to ensure that nonconformities do not recur; 

1.  Determine and implement the corrective action(s) needed; 

1.  Record results of action(s) taken; 

1.  Review of the corrective action(s) taken. 

1.  Determine and implement preventive action needed; 

1.  Record results of action taken; and 

1.  Review of preventive action. 

 The records of corrective actions may be reviewed during regularly scheduled AWS management meetings. 

## Customer Complaints
<a name="customer-complaints"></a>

 AWS relies on procedures and specific metrics to support you. Customer reports and complaints are investigated and, where required, actions are taken to resolve them. You can contact AWS at [https://aws.amazon.com/contact-us/](https://aws.amazon.com/contact-us/), or speak directly with your account team for support. 

## Third-Party Management
<a name="third-party-management"></a>

 AWS maintains a supplier management team to foster third party relationships and monitor third party performance. SLAs and SLOs are implemented to monitor performance. 

 AWS creates and maintains written agreements with third parties (for example, contractors or vendors) in accordance with the work or service to be provided (for example, network services, service delivery, or information exchange) and implements appropriate relationship management mechanisms in line with their relationship to the business. AWS monitors the performance of third parties through periodic reviews using a risk based approach, which evaluate performance against contractual obligations. 

## Training Records
<a name="training-records"></a>

 Personnel at all levels of AWS are experienced and receive training in the skill areas of the jobs and other assigned training. Training needs are identified to ensure that training is continuously provided and is appropriate for each operation (process) affecting quality. Personnel required to work under special conditions or requiring specialized skills are trained to ensure their competency. Records of training and certification are maintained to verify that individuals have appropriate training. 

 AWS has developed, documented and disseminated role based security awareness training for employees responsible for designing, developing, implementing, operating, maintaining, and monitoring the system affecting security and availability and provides resources necessary for employees to fulfill their responsibilities. Training includes, but is not limited to the following information (when relevant to the employee’s role): 
+  Workforce conduct standards 
+  Candidate background screening procedures 
+  Clear desk policy and procedures 
+  Social engineering, phishing, and malware 
+  Data handling and protection 
+  Compliance commitments 
+  Use of AWS security tools 
+  Security precautions while traveling 
+  How to report security and availability failures, incidents, concerns, and other complaints to appropriate personnel 
+  How to recognize suspicious communications and anomalous behavior in organizational information systems 
+  Practical exercises that reinforce training objectives 
+  HIPAA responsibilities 

## Personnel Records
<a name="personnel-records"></a>

 AWS performs periodic formal evaluations of resourcing and staffing, including an assessment of employee qualification alignment with entity objectives. Personnel records are managed through an internal Amazon System. 

## Infrastructure Management
<a name="infrastructure-management"></a>

 The Infrastructure team maintains and operates a configuration management framework to address hardware scalability, availability, auditing, and security management. By centrally managing hosts through the use of automated processes that manage change, Amazon is able to achieve its goals of high availability, repeatability, scalability, security, and disaster recovery. Systems and network engineers monitor the status of these automated tools on a continuous basis, reviewing reports to respond to hosts that fail to obtain or update their configuration and software. 

 Internally developed configuration management software is installed when new hardware is provisioned. These tools are run on all UNIX hosts to validate that they are configured and that software is installed in compliance with standards determined by the role assigned to the host. This configuration management software also helps to regularly update packages that are already installed on the host. Only approved personnel enabled through the permissions service may log in to the central configuration management servers. AWS notifies you of certain changes to the AWS service offerings where appropriate. AWS continuously evolves and improves their existing services, frequently adding new Services or features to existing Services. Further, as AWS services are controlled using APIs, if AWS changes or discontinues any API used to make calls to the Services, AWS continues to offer the existing API for 12 months (as of this publication) to give you time to adjust accordingly. Additionally, AWS provides you with a Health Dashboard with service health and status information specific to your account, as well as a public Service Health Dashboard to provide all customers with the real-time operational status of AWS services at the regional level at [http://status.aws.amazon.com](http://status.aws.amazon.com). 

# Software Development
<a name="software-development"></a>

## Software Development Processes
<a name="software-development-processes"></a>

 The Project and Operation stages of the life cycle approach in GAMP, for instance, are reflected in the AWS information and activities surrounding organizational mechanisms to guide the development and configuration of the information system, including software development lifecycles and software change management. Elements of the organizational mechanisms include policies and standards, the code pathway, deployment, a change management tool, ongoing monitoring, security reviews, emergency changes, management of outsourced and unauthorized development and communication of changes to customers. 

 The software development lifecycle activities at AWS include the code development and change management processes at AWS which are centralized across AWS teams developing externally- and internally-facing code with processes applying to both internal and external service teams. Code deployed at AWS is developed and managed in a consistent process, regardless of its ultimate destination. There are several systems utilized in this process, including: 
+  A code management system used to assemble a code package as part of development. 
+  Internal source code repository. 
+  The hosting system in which AWS code pipelines are staged. 
+  The tool utilized for automating the testing, approval, deployment, and ongoing monitoring of code. 
+  A change management tool which breaks change workflows down into discrete, easy to manage steps and tracks change details. 
+  A monitoring service to detect unapproved changes to code or configurations in production systems. Any variances are escalated to the service owner/team. 

## Code Pathway
<a name="code-pathway"></a>

 The AWS Code Pathway steps to development and deployment are outlined below. This process is executed regardless of whether the code is net new or if it represents a change to an existing codebase. 

1.  Developer writes the code in an approved integrated development environment running on an AWS-managed developer desktop environment. The developer typically does an initial build and integration test prior to the next step. 

1.  The developer checks in the code for review to an internal source code repository. 

1.  The code goes through a Code Review Verification in which at least one additional person reviews the code and approves it. The list of approvals are stored in an immutable log that is retained within the code review tool. 

1.  The code is then built from source code to the appropriate type of deployable code package (which varies from language to language) in an internal build system. 

1.  After successful build, including successful passing of all integration tests, the code gets pushed to a test environment. 

1.  The code goes through automated integration and verification tests in the pre-production environments and upon successful testing the code is pushed to production. 

 AWS may implement open source code within its Services, but any such use of open source code is still subject to the approval, packaging, review, deployment, and monitoring processes described above. Open source software, including binary or machine-executable code and open source licenses, is additionally reviewed and approved prior to implementation. AWS maintains a list of approved open source, as well as open source that is prohibited. 

## Deployment and Testing
<a name="deployment-and-testing"></a>

 A pipeline represents the path approved code packages take from initial check-in through a series of automated (and potentially manual) steps to execution in production. The pipeline is where automation, testing, and approvals happen. 

 At AWS, the deployment tool is used to create, view, and enforce code pipelines. This tool is utilized to promote the latest approved revision of built code to the production environment. 

 A major factor in ensuring safe code deployment is deploying in controlled stages and requiring continuous approvals prior to pushing code to production. As part of the deployment process, pipelines are configured to release to test environments (e.g. “beta,” “gamma,” and others, as defined by the team) prior to pushing the code to the production environment. Automated quality testing (e.g. integration testing, structural testing, behavioral testing) is performed in these environments to ensure code is performing as anticipated. If code is found to deviate from standards, the release is halted and the team is notified of the need to review. 

 These development and test environments emulate the production environment and are used to properly assess and prepare for the impact of a change to the production environment. In order to reduce the risks of unauthorized access or change to the production environment, the development, test and production environments are all logically separated. 

 The tool additionally enforces phased deployment, if the code is to be deployed across multiple regions. Should a package include deployment for more than one AWS region, the pipeline will enforce deployment on a single-region basis. If the package were to fail integration tests at any region, the pipeline is halted and the team is notified for need to review. 

## Configuration and Change Management
<a name="configuration-and-change-management"></a>

 Configuration management is performed during information system design, development, implementation, and operation through the use of the AWS Change Management process. 

 Routine, emergency, and configuration changes to existing AWS infrastructure are authorized, logged, tested, approved, and documented in accordance with industry norms for similar systems. Updates to the AWS infrastructure are done to minimize any impact on you and your use of the services. 

## Software
<a name="software"></a>

 AWS applies a systematic approach to managing change so that changes to customer-impacting services are thoroughly reviewed, tested, approved, and well-communicated. The AWS change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to you. Changes deployed into production environments are: 
+  Prepared: this includes scheduling, determining resources, creating notification lists, scoping dependencies, minimizing concurrent changes as well as a special process for emergent or long running changes. 
+  Submitted: this includes utilizing a Change Management Tool to document and request the change, determine potential impact, conduct a code review, create a detailed timeline and activity plan and develop a detailed rollback procedure. 
+  Reviewed and Approved: Peer reviews of the technical aspects of a change are required. Changes must be authorized in order to provide appropriate oversight and understanding of business and security impact. The configuration management process includes key organizational personnel that are responsible for reviewing and approving proposed changes to the information system. 
+  Tested: Changes being applied are tested to help ensure they will behave as expected and not adversely impact performance. 
+  Performed: This includes pre and post change notification, managing timeline, monitoring service health and metrics, and closing out the change 

 AWS service teams maintain a current authoritative baseline configuration for systems and devices. Change Management tickets are submitted before changes are deployed (unless it is an emergency change) and include impact analysis, security considerations, description, timeframe and approvals. Changes are pushed into production in a phased deployment starting with lowest impact areas. Deployments are tested on a single system and closely monitored so impacts can be evaluated. Service owners have a number of configurable metrics that measure the health of the service’s upstream dependencies. These metrics are closely monitored with thresholds and alarming in place. Rollback procedures are documented in the Change Management (CM) ticket. AWS service teams retain older versions of AWS baseline packages and configurations necessary to support rollback and previous versions are stored in the repository systems. Integration testing and the validation process is performed before rollbacks are implemented. When possible, changes are scheduled during regular change windows. 

 In addition to the preventative controls that are part of the pipeline (e.g. code review verifications, test environments), AWS also uses detective controls configured to alert and notify personnel when a change is detected that may have been made without standard procedure. AWS checks deployments to ensure that they have the appropriate reviews and approvals to be applied before the code is committed to production. Exceptions for reviews and approvals for production lead to automatic ticketing and notification of the service team. 

 After code is deployed to the Production environment, AWS performs ongoing monitoring of performance through a variety of monitoring processes. AWS host configuration settings are also monitored as part of vulnerability monitoring to validate compliance with AWS security standards. Audit trails of the changes are maintained. 

 Emergency changes to production systems that require deviations from standard change management procedures are associated with an incident and are logged and approved as appropriate. Periodically, AWS performs self-audits of changes to key services to monitor quality, maintain high standards, and facilitate continuous improvement of the change management process. Any exceptions are analyzed to determine the root cause, and appropriate actions are taken to bring the change into compliance or roll back the change if necessary. Actions are then taken to address and remediate the process or people issue. 

## Reviews
<a name="reviews"></a>

 AWS performs internal security reviews against Amazon security standards of externally launched products, services, and significant feature additions prior to launch to ensure security risks are identified and mitigated before deployment to a customer environment. AWS security reviews include evaluating the service’s design, threat model, and impact to AWS’ risk profile. A typical security review starts with a service team initiating a review request to the dedicated team and submitting detailed information about the artifacts being reviewed. Based on this information, AWS reviews the design and identifies security considerations; these considerations include, but are not limited to: appropriate use of encryption, analysis of data handling, regulatory considerations, and adherence to secure coding practices. Hardware, firmware and virtualization software also undergo security reviews, including a security review of the hardware design, actual implementation and final hardware samples. 

 Code package changes are subject to the following security activities: 
+  Full security assessment 
+  Threat modeling 
+  Security design reviews 
+  Secure code reviews (manual and automated methods) 
+  Security testing 
+  Vulnerability/penetration testing 

 Successful completion of the above mentioned activities are pre-requisites for Service launch. Development teams are responsible for the security of the features they develop that meet the security engineering principles. Infrastructure teams incorporate security principles into the configuration of servers and network devices with least privilege enforced throughout. Findings identified by AWS are categorized in terms of risk, and are tracked in an automated workflow tool. 

## Product Release
<a name="product-release"></a>

 For all AWS services, information can be found on the associated service website, which describes the key attributes of the Service and product details, as well as pricing information, developer resources (including release notes and developer tools), FAQs, blogs, presentations and additional documentation such as developer guides, API references, and use cases, where relevant ([https://aws.amazon.com/products/](https://aws.amazon.com/products/) ). 

## Customer Training
<a name="customer-training"></a>

 AWS has implemented various methods of external communication to support its customer base and the community. Mechanisms are in place to allow the customer support team to be notified of operational issues that impact your experience. A Service Health Dashboard is available and maintained by the customer support team to alert you to any issues that may be of broad impact. The AWS Cloud Security Center ([https://aws.amazon.com/security/](https://aws.amazon.com/security/)) and Healthcare and Life Sciences Center ([https://aws.amazon.com/health/](https://aws.amazon.com/health/)) is available to provide you with security and compliance details and Life Sciences related enablement information about AWS. You can also subscribe to AWS Support offerings that include direct communication with the customer support team and proactive alerts to any customer impacting issues. 

 AWS also has a series of training and certification programs ([https://www.aws.training/](https://www.aws.training/)) on a number of cloud-related topics in addition to a series of service and support offerings available through your AWS account team.