AWS cloud considerations

Shared responsibility model

Security and compliance are shared responsibilities between AWS and you. Under the AWS Shared Responsibility Model, AWS is responsible for the security of the cloud infrastructure, and you are responsible for security in the cloud, including meeting CMMC requirements for your workloads. AWS maintains its own compliance certifications, including FedRAMP High authorization for AWS GovCloud (US) and FedRAMP Moderate authorization for US East/West commercial Regions. Through AWS Artifact, you can access the AWS CMMC Customer Package, which documents the controls AWS implements on your behalf, helping reduce the number of controls you need to fully implement and evidence yourself.

Control inheritance mode

The AWS CMMC CRM categorizes all 110 NIST SP 800-171 Rev. 2 requirements into three inheritance types:

Inheritance type	Count	Description
Inheritable	21	AWS satisfies the requirement entirely if implemented correctly. You must still document the inheritance in your SSP via the CRM.
Partial	79	Shared responsibility. AWS provides infrastructure-level controls; you must configure, operate, and evidence your portion.
Customer Only	10	No AWS service coverage. Requires your organizational policies, procedures, or non-AWS technology.

The 21 inheritable controls include all 6 Physical Protection (PE) practices, 8 of 9 Media Protection (MP) practices, 5 Maintenance (MA) practices, and 2 Access Control (AC) practices. When you deploy on AWS these controls are inherited under the right conditions under the shared responsibility model. AWS maintains FedRAMP-authorized controls for these areas. You document this inheritance in your SSP and provide your assessor with the AWS CMMC Customer Package from AWS Artifact as evidence.

The 10 customer-only controls cannot be solved through AWS configuration alone:

Control	Requirement	What you must implement
AC.L2-3.1.8	Unsuccessful logon attempts	Account lockout policy and mechanism
AC.L2-3.1.18	Mobile device connection	Mobile device management policy
AC.L2-3.1.19	Encrypt CUI on mobile devices	Mobile encryption enforcement
AC.L2-3.1.21	Portable storage use	Removable media policy
IA.L2-3.5.7	Password complexity	Password policy (may configure in IAM)
IA.L2-3.5.8	Password reuse prohibition	Password history policy (may configure in IAM)
IA.L2-3.5.9	Temporary password use	Temporary credential procedures
SC.L2-3.13.7	Split tunneling prevention	VPN/network configuration
SC.L2-3.13.12	Collaborative device control	Policy for cameras, microphones, displays
SC.L2-3.13.14	Voice/video protection	Encryption for communications

For the 79 partially inheritable controls, the CRM specifies what AWS provides and what you must implement. When building your SSP control narratives, reference the CRM "AWS Implementation Details" and "Customer Implementation Expectations" columns to accurately delineate responsibilities.

Automation

With automation, you can implement infrastructure and application changes without manual intervention. You should also automate the security and compliance controls to the greatest extent possible so that evidence collection and monitoring operate continuously alongside your workloads. Automation also helps detect when controls drift from their intended configuration so that you can implement remediation steps in near real time.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

CMMC scoping on AWS

External service providers and CSPs