Hello,
In performing vendor due diligence, do you ask for the vendor/3rd party service provider AWS Trusted Advisor report? With more use of AWS, it is too easy for vendors to just submit Amazon's AWS SOC2 report and feel that they satisfy security/risk assessment.
Have you had experiences where vendors refuse to provide? Or vendors stating that their AWS subscription does not include the Trusted Advisor report?
Any insight would be helpful as security professionals/auditors try to review this black box.
thanks
I would only accept AWS's SOC-2 (or any of their other certs) for items in the shared responsibility model that are AWS's responsibility. Physical access, at the bottom, and up from there depending on what services your vendor is using to deliver their product. As we have seen recently, AWSs compliance to standards doesn't prevent a customer of theirs from not securing the S3 buckets, or running unpatched software on EC2 instances, or any one of a myriad of other issues that are not in AWS's responsibility.
A trusted advisor report? Maybe not a bad idea, at least it would show that you want more than the AWS certs, and open up the conversation. Depending on how much leverage you have, you can also ask for them to fill out something like the CSA CAIQ, or other survey. I like the CSA one because it's free to use, and a good cross section of items.