AWS says it has completed the S&P Global Know Your Third Party assessment of its security posture. The report is now available for customers that use KY3P as part of third-party supplier due diligence.
The practical point is simple. Large cloud providers are now core suppliers for many regulated firms. Those firms still have to show auditors and regulators that they understand the risks in their supplier chain. A standardized assessment can reduce repeated evidence requests and make control review less manual.
It does not remove the need for risk ownership. It gives customers another structured artifact to use when they assess AWS as a third party.
What AWS announced#
AWS published that it has completed its annual KY3P security posture assessment. KY3P is the S&P Global Know Your Third Party assessment, also known as the S&P Global Comprehensive Assessment. It was formerly known as TruSight.
AWS describes KY3P as a validated, evidence-based assessment designed to support regulatory compliance and standardized risk data exchange between AWS and its clients.
The important distinction is in the type of review. AWS says KY3P validates the actual implementation and operation of controls, not only policies or attestations. That matters because supplier reviews often get stuck at the document layer: policies, summaries, certifications, and self-descriptions. KY3P is positioned as a more structured assessment of operating controls.
According to AWS, the assessment was conducted by KY3P security assessors. The methodology includes more than 200 controls across 26 control categories and nine risk domains.
AWS names several covered areas, including:
- Privacy
- Network Management
- Logical Access Management
- Physical and Environmental Security
The assessment criteria were developed by a consortium of leading financial institutions, according to the AWS post.
Why this matters for regulated customers#
Cloud adoption has changed third-party risk management. For many organizations, AWS is not just another vendor. It is part of the operating base for applications, data workflows, security tooling, analytics, customer platforms, and internal systems.
That creates a tension.
Regulated firms, especially in financial services, are expected to exercise due diligence over critical third parties. But cloud platforms are broad, complex, and shared across many customers. A single customer cannot inspect a hyperscale cloud provider the same way it might inspect a small software vendor or a managed service provider.
This is where standardized assessments become useful. They give customers a common evidence package to review. They also reduce the burden on both sides: customers do not have to request the same baseline material one by one, and AWS does not have to answer entirely bespoke questionnaires for every overlapping control area.
The value is operational as much as regulatory. Supplier risk teams need consistent inputs. Security teams need control coverage detail. Audit teams need evidence that maps to known frameworks. Procurement and governance teams need something they can compare across suppliers.
AWS says customers can use the KY3P results to map AWS controls against commonly used frameworks and standards, including NIST CSF v2, PCI DSS 4.0, and ISO 27001:2022. That mapping can help teams understand control coverage faster, especially when they already organize their internal risk programs around those frameworks.
What the report can and cannot do#
A KY3P assessment can help with due diligence. It is not the same as a guarantee that a customer’s own AWS environment is secure.
That line matters.
The assessment concerns AWS’s security posture and control implementation in the assessed scope. A customer still has to evaluate its own architecture, account configuration, identity model, data handling, logging, incident response, vendor criticality, and regulatory obligations.
In cloud risk, shared responsibility still applies. A supplier assessment can tell you more about the provider’s controls. It does not tell you whether your S3 buckets, IAM roles, workloads, network paths, key management practices, or monitoring setup are appropriate for your threat model.
It also should not be treated as a replacement for internal review. The better use is as a high-quality input into a risk process. Teams can use it to answer standard control questions, identify areas where AWS evidence already exists, and focus their own review on customer-specific exposure.
There is also a scope question. AWS’s blog post summarizes the assessment and says customers can access the report, but the public post does not reproduce the full report or all test details. Customers should read the actual KY3P material and confirm the covered services, control scope, date, assumptions, and any limitations.
How teams can use it#
For security, compliance, and vendor risk teams, the immediate action is not to treat this as news to archive. It is to decide whether the report should become part of the supplier record for AWS.
A practical workflow looks like this:
- Add the KY3P report to the AWS vendor due-diligence file.
- Compare its control mappings with the frameworks your organization already uses.
- Identify which questionnaire items can be satisfied by the report.
- Separate provider-control evidence from customer-configuration evidence.
- Note any gaps, scope limits, or areas requiring AWS-specific follow-up.
- Align the report date with your review cycle and renewal process.
This is especially useful for organizations that maintain multiple overlapping supplier questionnaires. If the KY3P report answers a control area with validated evidence, teams can reduce duplicate review work and reserve deeper analysis for risk areas that are not covered.
The report may also help internal conversations. Cloud security teams often have to explain to governance teams what AWS controls, what the customer controls, and where assurance evidence exists. A recognized third-party assessment can make that conversation less subjective.
What to check next#
Customers that rely on AWS for regulated workloads should check how to access the KY3P report through AWS’s compliance or security documentation channels. AWS’s post points readers to details on access and to its broader compliance and security programs, including the AWS Security Reference Architecture.
Before relying on the report, teams should confirm a few basics:
- Is your organization already using KY3P or S&P Global third-party risk workflows?
- Does the report cover the AWS services relevant to your environment?
- Which control domains map cleanly to your regulatory obligations?
- Which risks remain customer-owned under the shared responsibility model?
- Does the assessment timing align with your audit period?
The useful outcome is not a new badge for AWS. It is a cleaner evidence path for customers that must show supplier due diligence. For regulated firms, that can reduce friction. For everyone else, it is still a reminder: cloud risk is not only technical. It is also documentary, procedural, and auditable.