Build a stronger future powered by AWS

Resources for Security and Privacy

• Data access on AWS

  With AWS, customers own their data, control their location, and determine who has access to that data. We are transparent about how AWS services process the data uploaded to the AWS account (customer data), and we provide capabilities that allow encryption, deletion, and monitoring of the processing of customer data. This is based on the AWS shared responsibility model and the AWS customer agreement. The privacy features of AWS services provide an additional granularity per services.

  Resources
  

  • AWS Customer Agreement: this AWS Customer Agreement contains the terms and conditions that govern access to and use of the service offerings.
  • Privacy features of AWS services: overview of the key privacy features of AWS Services which can be used to perform data transfer assessments in accordance with the Schrems II decision of the Court of Justice of the European Union, and the European Data Protection Board Recommendations on measures that supplement transfer tools.
  • CISPE Data protection Code of Conduct: the CISPE Code assures organizations that their cloud infrastructure service provider meets the requirements applicable to a data processor under the GDPR. Ernst and Young CertifyPoint (EYCP) certified 52 AWS services as compliant, providing customers with additional confidence that they have been independently verified for compliance with GDPR.
  • Shared Responsibility Model: security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
    
  • AWS Nitro System: a combination of dedicated hardware and lightweight hypervisors enabling confidential computing, by which operator access is restricted.
    

• United States Government access of customer data, the CLOUD Act

  The CLOUD Act – which applies to all companies, including foreign companies doing business in the US — does not give US law enforcement unfettered access to data. It only applies to a narrow category of data: evidence sought in connection with a crime, such as terrorism, over which the US has jurisdiction.
  Clarifying the CLOUD Act: a dedicated page explaining the details around the CLOUD Act and AWS.
  IDC Clarification on the CLOUD Act: IDC clarification, diving deep in understanding the facts of the CLOUD Act.
  

  AWS will challenge law enforcement requests for customer data from governmental bodies where the requests conflict with law, are overbroad, or where we otherwise have appropriate grounds to do so.
  

  Resources
  

  • AWS strengthened commitments on law enforcement requests: amendment to the customer agreement by challenging law enforcement requests and disclosing the minimum amount necessary.
  • Law enforcement info requests report: bi- annual report of types and numbers of law enforcement requests Amazon processed.
  • AWS Well-Architected: AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. Based on six pillars — operational excellence, security, reliability, performance efficiency, cost optimization and sustainability — AWS Well-Architected provides a consistent approach for customers and partners to evaluate architectures, and implement designs that can scale over time.

  Technical best practices to ensure data protection

  • AWS Key Management Service (KMS)
  • AWS Key Management Service custom key store
  • AWS CloudHSM
  • AWS KMS FAQ

• AWS and data movement

  Customers choose the AWS Region(s) in which their content is stored. They can replicate and back up their content to more than one AWS Region. With AWS, customers have full control of their data, including where their data is stored, how it is secured, who has access, and how they architect their data sovereignty needs. AWS will process Customer Data only in accordance with Documented Instructions.

  Resources

  • Data Privacy FAQ
  • AWS and Participation in Gaia-X, a EU initiative that brings together representatives from business, science, and politics to help define standards for the next generation of data infrastructure.
  • Data Residency Guardrails in AWS Control Tower: Simplified way to translate data residency requirements into controls which can be applied to single and multi-account environments.
    

   

• Data encryption on AWS
  

  AWS notifies customers before disclosing data, and also provides a number of advanced encryption and key management services that customers can use to protect their content. Explore AWS' key data encryption resources.

  Resources

  • AWS Cryptography Basics
  • AWS KMS Cryptography Whitepaper
  • AWS Compliance Quick Starts
  • AWS Encryption Updates
    

• EU Laws, Privacy Shield and AWS
  

  AWS customers and partners can continue to use AWS to transfer their content from Europe to the US and other countries, in compliance with EU data protection laws – including the General Data Protection Regulation (GDPR). Customers and partners can also store and process data within a region in the European Union and make sure there is no data transfers so that they comply with the ruling by Schrems II.

  Resources

  • Overview on AWS and EU Customer data.
  • Ebook: EU data protection and AWS.

   

• GDPR and how AWS can support
  

  AWS is committed to offering services and resources to help our customers comply with data protection requirements that might apply to their activities, and has more than 500 features and services focused on security and compliance.  With this in mind, in March 2018, we announced that all AWS services and features can be used in compliance with GDPR. 

  AWS offers a Data Processing Addendum (DPA) in the AWS Service Terms that applies automatically, whenever AWS customers use AWS services to process personal data uploaded to their AWS account.  The GDPR-compliant terms of the AWS DPA are considered a high watermark for privacy compliance worldwide and exceed requirements of most other data protection laws. This means customers will achieve at least an equivalent – if not higher - compliance standard to that required under most data protection laws. 

  For more information on what AWS is doing to help customers navigate data protection requirements, see our Data Protection page.
  

  Resources
  

  • Data Privacy Centre: all resourced about Data Privacy at AWS.
  • GDPR Center: all GDPR resources and FAQ.
    
  • AWS compliance programs: the AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance in the cloud. 
  • AWS Security, Identity and Compliance: overview of security use cases and the respective AWS services for data protection, identity & access management, network & application protection, threat detection & continuous monitoring as well as compliance & data privacy.
  • AWS Well-Architected: AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. Based on six pillars — operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability — AWS Well-Architected provides a consistent approach for customers and partners to evaluate architectures, and implement designs that can scale over time.
  • AWS Artifact: AWS Artifact is the go-to, central resource for compliance-related information that matters for AWS customers. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).
    

• Geographic location of data centers
  

  AWS customers choose the AWS Region or Regions in which their content and servers will be located. This allows customers with geographic specific data residency requirements to establish environments in a location or locations of their choice. Customers retain complete control and ownership over the region in which their data is physically located, making it easy to meet regional compliance and data residency requirements. AWS will not move customer content without the customer’s consent, except as legally required.

  Resources

  • AWS Global Infrastructure: detailed overview of the current AWS Regions, Availability Zones, Points of Presence and countries and territories served.
  • Regions and Availability Zones: map view of the location of AWS Regions and Availability Zones.
  • Data Centers Info: extensive information on AWS data center’s perimeter layer, the infrastructure layer, data layer as well as the environmental layer.
    

• Regulated sector on AWS
  

  AWS has achieved a number of internationally recognized certifications and accreditations, demonstrating compliance with third-party assurance frameworks, including HIPAA, GDPR, Personal Health Data Protection in France (HDS), Cloud Computing Compliance Catalogue (C5), Government Standards in Spain (ENS high), Cyber Threat Protection in the UK (Cyber Essential Plus), Government Standards in the UK (G-Cloud), and the Attestation for Swiss Financial Market Supervisory Authority Circulars to meet the unique security, regulatory and compliance obligations of institutions from Regulated Sectors/Public Sector.

  Resources

  • Compliance Financial Institutions FAQ: frequently asked questions of the German financial institutions about using AWS.
  • Compliance & Security for Financial Services: AWS understands the unique security, regulatory, and compliance obligations financial services institutions face on a global scale. This overview considers all resources and steps needed for financial institutions to securely navigate through the cloud.
  • Cloud Governance for Financial Services: a framework to guide customers in establishing processes and selecting tools to manage and govern their AWS environment.
  • AWS Artifact: the go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.
  • AWS Compliance Programs: this program helps customers understand the controls in place at AWS to maintain security and compliance in the cloud based on tying together governance- focused, audit-friendly services features with applicable compliance or audit standards.
  • AWS in the Public Sector: one-stop resources for governments, non-profit organizations, education and healthcare institutions to pave the way for innovation and supporting world changing projects.