Skip to main content
Skip to main content

Amazon Web Services Vendor Risk Assessment — Full Report

Before you share customer data with Amazon Web Services, your compliance team needs documented proof they can be trusted. ThirdProof investigated Amazon Web Services across 27 intelligence sources — here's what we found.

✓ FedRAMP Status: Authorized (High) — verified against marketplace.fedramp.gov

Risk Tier
Tier 3Moderate Risk
SOC 2
⚠ Vendor Attested
FedRAMP
✓ Authorized
Last Assessed
Apr 16, 2026
🟢IP Reputation: Abuse score: 0%, 0 reports🟡SSL/TLS: TLSv1.3🟢Domain Age: 31.5 years🟢Infrastructure: 2 open ports, 0 CVEs
FedRAMP Status
Amazon Web Services is listed on the FedRAMP Marketplace as Authorized (High) as of March 2026.
SOC 2 Status
Amazon Web Services has a SOC 2 claim detected on their trust page. Claim is vendor-attested — no public registry exists for independent verification.
Sanctions Screening
Amazon Web Services returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
Risk Tier
ThirdProof assigned Amazon Web Services a Minimal Risk tier with 100% confidence across 27 intelligence sources.

27 sources queried. 100% confidence. Every Amazon Web Services investigation produces both a risk report and an auto-filled security questionnaire — no vendor follow-up required.

Get Amazon Web Services's Full Report Free →
5 free investigations|Risk report + auto-filled questionnaire|Avg. 7 minutes

Certification & Compliance Status

Need a complete vendor security questionnaire?

Run a full ThirdProof investigation to get 133 security questions auto-filled with source evidence — ready for your next audit or vendor onboarding review.

Get Amazon Web Services's Full Report Free →
FedRAMP Authorized (High)

Verified against FedRAMP Marketplace API as of March 2026

Verified against the official FedRAMP Marketplace API as of March 2026.

AWS GovCloud authorized at High impact level. AWS commercial regions authorized at Moderate.

Source: FedRAMP Marketplace

FedRAMP authorized vendors →
27 data sources queried per assessment
Reports generated in an average of 7 minutes
SHA-256 verified for audit integrity
Deterministic risk scoring — no AI guesswork
3Tier

Moderate Risk

AWS

Vendor Risk Assessment

Confidence Score100%

Based on data availability and source coverage

27

Sources Queried

25

Sources With Data

April 16, 2026

Last Assessed

Executive Summary

AI-generated analysis for AWS

Amazon Web Services (AWS), the cloud infrastructure division of Amazon.com, Inc., presents a Tier 3 (Moderate Risk) profile under ThirdProof's deterministic rule engine — a rating that reflects not fundamental security deficiencies, but specific transparency gaps that procurement and compliance teams should address before relying on AWS as an in-scope subservice organization. AWS demonstrates substantial strengths across nearly every independently verifiable security dimension:

Key Findings

  • **Domain integrity**: The aws.amazon.com domain, registered in November 1994, carries a fully clean reputation with no malware listings, no phishing flags, and a zero abuse confidence score across all scanned engines.
  • **Infrastructure posture**: Only two open ports (80 and 443) are exposed, no CVEs were detected in the infrastructure scan, and TLS 1.3 is confirmed active with no weak protocols or ciphers.
  • **Web security**: Mozilla HTTP Observatory returned a grade of A (95/100), with HSTS and X-Frame-Options headers correctly configured.
  • **FedRAMP**: AWS GovCloud is independently confirmed as FedRAMP Authorized at the High impact level via the FedRAMP Marketplace, the strongest independently verifiable compliance signal in this assessment.
  • **Sanctions and adverse media**: No sanctions matches, no SEC enforcement filings, and no adverse media signals were found across all queried sources in the past 12 months.
  • **Leadership**: A named CISO, Chris Betz (appointed August 2023), is publicly identified and responsible for AWS's security program. Two findings warrant attention before this vendor is treated as fully cleared for in-scope use. First, no publicly crawlable AI data usage policy was discovered — a meaningful gap given AWS's expanding portfolio of AI and machine learning services (Amazon Bedrock, SageMaker, CodeWhisperer). Procurement teams relying on AWS for AI workloads should request the vendor's Data Protection Addendum or AI-specific service terms directly. Second, the vendor's compliance page claims PCI DSS certification, but independent registry verification returned no confirming entry — this is a cross-source contradiction (CONTRA-001) that should be resolved by requesting the current AWS PCI DSS Attestation of Compliance (AoC) directly from the vendor or via AWS Artifact. Overall, AWS is one of the most extensively audited cloud platforms in the world, and the Tier 3 rating reflects documentation transparency gaps rather than evidence of security weakness. A conditional approval posture is appropriate: the two open findings are resolvable through direct vendor engagement, and neither represents a structural security concern.

Independence Statement

All evidence used in this assessment was independently sourced from external data registries, threat intelligence feeds, DNS/TLS analysis, public compliance registries, and open-web media scans — without vendor participation, self-submission, or sponsored input.

Investigation Findings

4 findings identified for AWS

3 medium1 low
medium

Tech Community Discussion: operational

2 Hacker News stories about "Amazon Web Services" related to operational. Top story: "AWS outage shows internet users 'at mercy' of too few providers, experts say" (258 points).

Source:Tech Community Sentimentnews.ycombinator.com
medium

New Web Presence (< 1 year)

aws.amazon.com first appeared less than 1 year ago (2026-02-05). This indicates a relatively new web presence.

Source:Web Archive Historyweb.archive.org
medium

AI Data Usage Policy Not Discoverable at Standard Paths

An AI-specific data usage policy was not discoverable for aws.amazon.com through automated scanning of common policy paths and web search. The vendor may publish relevant data handling commitments in enterprise agreement documents (DPAs, product terms, licensing portals) that are not indexed at standard public URLs. Request the vendor's Data Protection Addendum or AI-specific terms directly.

Source:AI Data Usage Policylearn.amazon.com
low

No Email Infrastructure

aws.amazon.com has no MX records, meaning it cannot receive email directly.

Source:Domain Analysisdns.google

Security Strengths

30 positive signals verified

FedRAMP Authorization Independently Verified

Trust & Compliance Page Scan

Legal Entity Actively Registered

Business Registration

Sanctions Data Incomplete

Sanctions & Watchlist Screening

Low-Confidence Sanctions Matches Only

Sanctions & Watchlist Screening

No Adverse Media Found

Adverse Media Scan

No Adverse Media Signals

Adverse Media Scan (Fallback)

Firmographic Data Available

Company Intelligence

Valid SSL Certificate

Domain Analysis

2 Open Ports Detected

Infrastructure Exposure

Established Domain (31+ years)

Domain Registration

Clean domain reputation

Threat Intelligence

Tech Community Discussion: security

Tech Community Sentiment

HTTP Security Grade: A

HTTP Security Scan

Certificate Data from TLS Handshake

Certificate Transparency

No Threat Intelligence Pulses

Threat Intelligence (OTX)

Clean IP Reputation

IP Reputation

Clean Safe Browsing Status

Malware & Phishing Check

Clean Website Security Scan

Website Security Scan

Certification Claimed: PCI DSS

Trust & Compliance Page Scan

Certification Claimed: HIPAA

Trust & Compliance Page Scan

Certification Claimed: GDPR

Trust & Compliance Page Scan

Certification Claimed: NIST

Trust & Compliance Page Scan

1 Subprocessors Identified

Supply Chain & Subprocessor Discovery

Not Found as FDIC-Insured Institution

FDIC Institution Check

No SEC Enforcement Filings Found

SEC Filing Search

No Historical Adverse Media Found

Historical Media Search

HITRUST Directory Match — Manual Verification Required

Certification Registry Verification

SOC 2 Compliance Claimed on Trust Page

Certification Registry Verification

FedRAMP Authorization Confirmed (Cross-Source)

Certification Registry Verification

Deep Document Crawler Results

Deep Document Analysis

Recommended Actions

Steps to address findings for AWS

  1. 1

    Resolve CONTRA-001 (PCI DSS): Obtain the current AWS PCI DSS Attestation of Compliance (AoC) via AWS Artifact (https://aws.amazon.com/artifact) — log in with your AWS account, navigate to 'Reports', and download the PCI DSS AoC. Retain for your own PCI audit evidence file. Complete within 30 days.

    PCI DSS Standards
  2. 2

    Resolve rf-2 (AI Policy Gap): Contact your AWS account team and request (a) the current AWS Data Protection Addendum, (b) Amazon Bedrock and SageMaker data handling documentation, and (c) written confirmation of whether AWS trains AI/ML models on customer data submitted through in-scope services. Retain all responses for SOC 2 CC9.2 evidence.

    SOC 2 Overview (AICPA)
  3. 3

    Obtain the current AWS SOC 2 Type II report via AWS Artifact — navigate to the 'Reports' section after logging in with your AWS account credentials. Confirm the report period covers the current audit cycle and request a bridge letter if the report is older than 12 months. SOC 2 reports are confidential and have no public registry; direct vendor access is the only path to verification.

    SOC 2 Overview (AICPA)
  4. 4

    Document Complementary User Entity Controls (CUECs): If AWS is within your SOC 2 audit boundary (likely for IaaS/PaaS deployments), work with your auditor to identify and document required CUECs — controls your organization must implement that are assumed by AWS's own SOC 2 controls (e.g., customer IAM policy configuration, encryption key management, CloudTrail logging enablement). AWS publishes CUEC guidance via its shared responsibility model documentation at https://aws.amazon.com/compliance/shared-responsibility-model/.

    SOC 2 Overview (AICPA)
  5. 5

    Verify ISO 27001 status manually: AWS may hold ISO 27001 certification under entity names not matched by the automated registry scan. Request the current ISO 27001 certificate directly from your AWS account team or check AWS Artifact. Confirm the certificate expiry date and the scope of covered services.

    ISO 27001 Standard
  6. 6

    Review subprocessor completeness: The automated scan identified only 1 subprocessor (Twitch Interactive, Inc.) on the published page at https://aws.amazon.com/compliance/sub-processors/ — review this page directly and cross-reference with service-specific DPAs to ensure complete subprocessor coverage for services in scope. For GDPR Article 28 compliance, confirm the DPA covers all relevant sub-processors.

    GDPR Full TextDPA Template (GDPR Art. 28)

Intelligence Sources Queried

27 sources in this assessment

25of 27 sources returned data
IP Reputation
AI Data Usage Policy
Threat Intelligence (OTX)
Adverse Media Scan
Certification Registry Verification
Deep Document Analysis
Domain Analysis
FDIC Institution Check
Business Registration
Historical Media Search
Tech Community Sentiment
Company Intelligence
Adverse Media Scan (Fallback)
HTTP Security Scan
Sanctions & Watchlist Screening
Malware & Phishing Check
SEC Filing Search
Infrastructure Exposure
SSL/TLS Analysis
Supply Chain & Subprocessor Discovery
Trust & Compliance Page Scan
Website Security Scan
Threat Intelligence
Web Archive History
Domain Registration
Certificate Transparency
AI Research Agent

Data Coverage Notes

Some data sources may have had limited availability during this assessment. This does not reflect negatively on the vendor.

  • Certificate Transparency log data (Certificate Transparency service) was partially unavailable; certificate information was derived from a direct TLS handshake rather than full CT log enumeration, meaning subdomain certificate coverage may be incomplete.
  • Web archive history for aws.amazon.com returned a first-seen date of February 2026 via the automated scan provider — this is an artifact of the scan methodology and does not reflect actual domain age (registered 1994); the WHOIS record independently confirms 31+ years of registration.
  • ISO 27001 certification status returned 'not_found' in the IAF CertSearch registry; AWS may hold ISO 27001 certificates under entity names not matched by the automated search. Manual verification with the vendor or their certification body is recommended.
  • HITRUST certification returned an 'unconfirmed' match with 90% confidence — specific AWS services appear to have been assessed under the HITRUST CSF v11 program, but automated matching was insufficient to confirm certification status. Direct verification with the HITRUST Alliance or via AWS Artifact is recommended.
  • The AI data usage policy scan was unable to locate a publicly crawlable policy document; AWS may publish AI data handling commitments in enterprise agreement documents (DPAs, service-specific terms) not accessible to automated scanning.
  • The subprocessor page at aws.amazon.com returned only 1 listed subprocessor (Twitch Interactive, Inc.) — this likely reflects a narrow scope of the scanned page rather than the full AWS subprocessor ecosystem. AWS operates a large third-party supply chain that may be documented across additional pages or service-specific addenda.
  • SSL/TLS analysis service deep analysis data was not available for aws.amazon.com during this assessment period; TLS configuration was assessed via direct handshake and web security scanning service results only.
183+
Vendors assessed
98%
Average confidence
<2 min
Time to report
What a ThirdProof assessment covers

Sanctions Screening

Is Amazon Web Services on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?

Cyber Risk Assessment

What is Amazon Web Services's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.

Business Registration

Is Amazon Web Services a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.

Adverse Media Analysis

Has Amazon Web Services appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.

Domain & Infrastructure

Is Amazon Web Services's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.

Company Intelligence

What are Amazon Web Services's firmographics? Employee count, industry classification, technology stack, and corporate structure.

Trust & Compliance Verification

Does Amazon Web Services claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.

Supply Chain & Subprocessor Discovery

Who does Amazon Web Services depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.

Regulatory & Financial Filings

Has Amazon Web Services appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.

Full methodology, rule engine, and AI disclosure: /methodology

Compliance Resources

→ SOC 2 Vendor Assessment: What Your Auditor Actually Reviews→ SOC 2 CC9.2 Vendor Management with ThirdProof→ HIPAA Vendor Risk Assessment with ThirdProof→ PCI-DSS 4.0 Requirement 12.8 Vendor Due Diligence→ CMMC Level 2 Supply Chain Risk Assessment→ ABA Model Rule 1.6 Vendor Due Diligence for Law Firms→ FedRAMP Authorized Vendor List→ FedRAMP Vendor Authorization Status Guide→ Sanctions Screening for Vendor Due Diligence→ Vendor Due Diligence Checklist→ All 27 Intelligence Sources

Seeing this in an audit? ThirdProof lets you investigate Amazon Web Services and every other vendor in your stack — average report time: 7 minutes. Get Amazon Web Services's Full Report Free →

Frequently asked about Amazon Web Services

Is Amazon Web Services FedRAMP authorized?+
Yes, Amazon Web Services holds FedRAMP High authorization as of April 2026.
Does Amazon Web Services have SOC 2 Type II?+
Yes — Amazon Web Services holds SOC 2 (Type II not confirmed). Rated Minimal Risk. See all 2 findings →
Is Amazon Web Services on the OFAC sanctions list?+
Amazon Web Services returned no matches in ThirdProof's OFAC SDN, EU Consolidated, and UN sanctions screening as of April 2026.
What is Amazon Web Services's vendor risk tier?+
ThirdProof assigned Amazon Web Services a risk tier of Minimal Risk with 100% confidence based on assessment across 27 intelligence sources as of April 2026.
Can I get an auto-filled security questionnaire for Amazon Web Services?+
Yes. Every ThirdProof investigation of Amazon Web Services produces two deliverables: an audit-ready risk report and a 133-question security questionnaire pre-filled with evidence from 27 independent sources. The questionnaire is mapped to SIG, SOC 2, HIPAA, PCI DSS and 9 other frameworks — answered without sending Amazon Web Services a single email or waiting for a vendor response.
Is Amazon Web Services safe to use as a vendor?+
Amazon Web Services is a cloud infrastructure vendor that handles organizational workloads and data. Safety depends on their current security posture, certification status, and how they handle your specific data. ThirdProof automates this evaluation across 27 intelligence sources — sanctions databases (OFAC, EU, UN), business registration verification, adverse media scanning, and cyber risk assessment — producing a deterministic risk tier with confidence score plus an auto-filled security questionnaire. Run a free investigation to see Amazon Web Services's full risk profile.
Does Amazon Web Services have SOC 2 certification?+
Yes — Amazon Web Services holds SOC 2 + 11 other certs. Rated Minimal Risk. See all 2 findings →
Has Amazon Web Services had any data breaches?+
Data breach history is an important signal for any vendor, particularly cloud infrastructure platforms like Amazon Web Services that handle organizational workloads and data. ThirdProof's adverse media analysis searches multiple news APIs and public records for data breaches, security incidents, lawsuits, regulatory enforcement actions, and financial distress signals. Each finding is linked to its original source with severity classification.
Is Amazon Web Services on any sanctions lists?+
Sanctions screening is standard due diligence for cloud infrastructure vendors. ThirdProof screens Amazon Web Services against OFAC SDN, consolidated international sanctions lists, and PEP databases. The screening uses entity name verification to reduce false positives. If Amazon Web Services or any associated officers appear on a sanctions list, this triggers automatic escalation to the highest risk tier.
How do I assess Amazon Web Services for vendor risk?+
Assessing Amazon Web Services as a cloud infrastructure vendor involves verifying SOC 2 Type II, ISO 27001, and FedRAMP compliance, reviewing their subprocessor chain, and checking sanctions exposure. ThirdProof automates this across 27 intelligence sources in an average of 7 minutes — no questionnaires or vendor participation required. Your first 5 investigations are free.
How long does a ThirdProof assessment take?+
A ThirdProof assessment completes in an average of 7 minutes. 27 intelligence sources are queried in parallel — sanctions databases, business registries, threat intelligence feeds, certificate transparency logs, and more. The result is a deterministic risk tier with confidence score and audit-ready PDF report.
Is ThirdProof free?+
ThirdProof offers 5 free vendor assessments with no credit card required. Each assessment includes the full report — risk tier, confidence score, individual findings, executive summary, and PDF export. Paid plans start at $399/month for teams that need ongoing vendor monitoring.
Can I use a ThirdProof report as SOC 2 audit evidence?+
Yes. ThirdProof reports are designed to satisfy SOC 2 CC9.2 (vendor risk management) requirements. Each report includes SHA-256 integrity verification, methodology disclosure, source attribution for every finding, and AI content labeling. Auditors can independently verify the report's authenticity and trace each finding to its original source.
How is ThirdProof different from a security questionnaire?+
Security questionnaires require vendor participation, take weeks, and produce self-reported answers. ThirdProof queries 27 independent intelligence sources — no vendor involvement needed. Risk tiers are assigned by a deterministic rules engine (not AI opinion), and every finding links to its original source. You get an audit-ready report in an average of 7 minutes instead of waiting weeks for a questionnaire response.

Also investigate these vendors

Render
cloud infrastructure
Microsoft Azure
cloud infrastructure
Google Cloud
cloud infrastructure
Cloudflare
cloud infrastructure
Vercel
cloud infrastructure
View all vendorsPricingLearn

Amazon Web Services is in your vendor stack. Can you prove you assessed them?

SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.

ThirdProof investigates Amazon Web Services across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.

Get Amazon Web Services's Full Report Free →See PricingBook a Demo
✓ 5 free investigations✓ Risk report + auto-filled questionnaire✓ No credit card required✓ Average report time: 7 minutes

Replaces $600–$900 in manual compliance consulting time per vendor assessed.