What does a real-world implementation of TOMs (Technical and Organizational Measures) look like at scale, using AWS as a concrete example?
AWS implements TOMs (Technical and Organizational Measures) across five key services: KMS (Key Management Service) for key management, TLS 1.3 (Transport Layer Security) for transport encryption, CloudTrail for audit logging, GuardDuty for threat detection, and IAM (Identity and Access Management) for access control.
* AWS services mapped to their TOM functions. *
| AWS Service | TOM Function |
|---|---|
| KMS | Key Management Service for centralized encryption key management. All encryption keys are managed in one place with full audit trails. |
| TLS 1.3 | Latest transport encryption protocol for all data in transit. Ensures confidentiality between client and server. |
| CloudTrail | Comprehensive audit logging of every API call and user action. Creates the tamper-proof documentation trail regulators expect. |
| GuardDuty | Intelligent threat detection using machine learning. Continuously monitors for suspicious activity across AWS accounts. |
| IAM | Identity and Access Management with fine-grained policies. Controls exactly who can do what, down to individual API actions. |
AWS documents all of this in a detailed compliance whitepaper. This is important because it shows regulators and auditors exactly how each TOM requirement is met. It's become a model for how cloud providers demonstrate compliance, and it's publicly available for anyone to study.
Go deeper:
NIST — technical controls (CSRC glossary) — the standards definition behind tools like KMS/IAM/CloudTrail.