Esquema Nacional de Seguridad High

FAQs

• What is the ENS High certification?

  The ENS (Esquema Nacional de Seguridad) accreditation scheme has been developed by the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre). This comprises of basic principles and minimum requirements necessary for the adequate protection of information.

  To achieve ENS High certification, AWS was successfully audited by an accredited independent assessor.

• Who created the ENS High standard?

  The ENS (Esquema Nacional de Seguridad) is a Spanish certification that was developed as part of Royal Decree 311/2022 on May 3rd 2022. Royal Decree 311/2022 was published in accordance to the earlier Spanish decrees, Royal Decree 3/2010 and Royal Decree 421/2004, which provided the National Cryptologic Centre the functionality to create and disseminate the standards, guides, and recommendations relating to information security.

  The current ENS standard was designed and released by the Spanish National Cryptologic Centre and establishes security measures that service providers must adhere to so Spanish government agencies and customers meet the requirements set forth by Royal Decree 311/2022.

• Which AWS Regions are covered by the ENS High certification?

  ENS High covers 31 AWS Regions worldwide, including Spain. The detailed AWS Regions list is available in the certificate.
  

• Which AWS services are covered by the ENS High certification?

  The covered AWS services that are already in scope for ENS can be found on the AWS Services in Scope by Compliance Program page. If you would like to learn more about using these services and/or have interest in other services please contact us.

• Are there guidelines that customers could use to help them comply with the High category of the ENS?

  Yes, AWS together with the National Cryptologic Centre have created a set of guidelines that customers can use to align with the security controls described in the High category of the ENS. AWS allows customers to verify ENS compliance of their security controls to the 800 CCN STIC guidelines for ENS using Prowler, an open-source security tool customers can integrate with AWS Security Hub to perform security configuration checks within their AWS environment. In addition, customers can launch open-source conformance pack templates within AWS Config to create security checks, allowing customers to personalize and align them with the ENS. The following links indicate the 800 CCN STIC guidelines and tools that maybe used to align with the security controls described in the ENS.

  • CCN-STIC-887 Specific Compliance Profile for AWS Corporate Cloud Service
    
  • CCN-STIC-887A AWS Secure Configuration Guide
  • CCN-STIC-887B Prowler Quick Guide
    
  • CCN-STIC-887C Hybrid Connectivity Secure Configuration Guide on AWS
    
  • CCN-STIC-887D AWS Multi-Account Secure Configuration Guide
    
  • CCN-STIC-887E Amazon WorkSpaces Secure Configuration Guide
    
  • Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low
  • Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium
    
  • Operational Best Practices for Esquema Nacional de Seguridad (ENS) High
  • CCN-STIC-887F Guía de respuesta a incidentes de seguridad en AWS
  • CCN-STIC-887G Guía de Configuración segura para Monitorización y gestión AWS