At AWS, customer trust is our top priority. We deliver services to millions of active customers, including enterprises, educational institutions, and government agencies in over 190 countries. Our customers include financial services providers, healthcare providers, and governmental agencies, who trust us with some of their most sensitive information.
We know that customers care deeply about privacy and data security. That’s why AWS gives you ownership and control over your content through simple, powerful tools that allow you to determine where your content will be stored, secure your content in transit and at rest, and manage your access to AWS services and resources for your users. We also implement responsible and sophisticated technical and physical controls that are designed to prevent unauthorized access to or disclosure of your content.
AWS continually monitors the evolving privacy regulatory and legislative landscape to identify changes and determine what tools our customers might need to meet their compliance needs depending upon their applications. We recommend that customers and APN Partners with questions regarding AWS and data protection regulations contact their AWS account manager first. If customers have signed up for Enterprise Support, they can reach out to their Technical Account Manager (TAM) as well. TAMs work with Solutions Architects to help customers identify potential risks and potential mitigations. TAMs and account teams can also point customers and APN Partners with specific resources based on their environment and needs. AWS is not in the position to provide legal advice and we recommend that customers consult their legal counsel if they have legal questions.
Maintaining customer trust is an ongoing commitment. We strive to inform you of the privacy and data security policies, practices, and technologies we’ve put in place. These commitments include:
- Access: As a customer, you maintain full control of your content and responsibility for configuring access to AWS services and resources. We provide an advanced set of access, encryption, and logging features to help you do this effectively (e.g., AWS Identity and Access Management, AWS Organizations and AWS CloudTrail). We provide APIs for you to configure access control permissions for any of the services you develop or deploy in an AWS environment. We do not access or use your content for any purpose without your consent. We never use your content or derive information from it for marketing or advertising.
- Storage: You choose the AWS Region(s) in which your content is stored and the type of storage. You can replicate and back up your content in more than one AWS Region. We will not move or replicate your content outside of your chosen AWS Region(s) without your consent, except as legally required and as necessary to maintain the AWS services.
- Security: You choose how your content is secured. We offer you strong encryption for your content in transit and at rest, and we provide you with the option to manage your own encryption keys. These features include:
- Data encryption capabilities available in AWS storage and database services, such as Amazon Elastic Block Store, Amazon Simple Storage Service, Amazon Relational Database Service, and Amazon Redshift.
- Flexible key management options, including AWS Key Management Service (KMS), allow customers to choose whether to have AWS manage the encryption keys or enable customers to keep complete control over their keys.
- AWS customers can employ Server-Side Encryption (SSE) with Amazon S3-Managed Keys (SSE-S3), SSE with AWS KMS-Managed Keys (SSE-KMS), or SSE with Customer-Provided Encryption Keys (SSE-C).
- Disclosure of customer content: We do not disclose customer information unless we're required to do so to comply with a legally valid and binding order. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies customers before disclosing content information.
- Security Assurance: We have developed a security assurance program that uses best practices for global privacy and data protection to help you operate securely within AWS, and to make the best use of our security control environment. These security protections and control processes are independently validated by multiple third-party independent assessments.
How does AWS classify customer data?
AWS classifies customer data into two categories: customer content and account information.
We define customer content as software (including machine images), data, text, audio, video, or images that a customer or any end user transfers to us for processing, storage, or hosting by AWS services in connection with that customer's account, and any computational results that a customer or any end user derives from the foregoing through their use of AWS services. For example, customer content includes content that a customer or any end user stores in Amazon Simple Storage Service (S3). Customer content does not include account information, which we describe below. The terms of the AWS Customer Agreement and the AWS Service Terms apply to your customer content.
We define account information as information about a customer that a customer provides to us in connection with the creation or administration of a customer account. For example, account information includes names, usernames, phone numbers, email addresses, and billing information associated with a customer account. The information practices described in the AWS Privacy Notice apply to account information.
Who owns customer content?
As a customer, you maintain ownership of your content, and you select which AWS services can process, store, and host your content. We do not access or use your content for any purpose without your consent. We never use customer content or derive information from it for marketing or advertising.
Who controls customer content?
As a customer, you control your content.
• You determine where your content will be stored, including the type of storage and geographic region of that storage.
• You choose the secured state of your content. We offer customers strong encryption for your content in transit and at rest, and we provide you with the option to manage your own encryption keys.
• You manage access to your content, and access to AWS services and resources through users, groups, permissions, and credentials that you control.
What about my account information?
The AWS Privacy Notice describes how we collect and use account information. We know that you care how account information is used, and we appreciate your trust that we will do so carefully and sensibly.
What happens when AWS receives a legal request for customer content?
We are vigilant about our customers' privacy. We do not disclose customer content unless we're required to do so to comply with the law, or with a valid and binding order of a governmental or regulatory body. Governmental and regulatory bodies need to follow the applicable legal process to obtain valid and binding orders. We review all orders and object to overbroad or otherwise inappropriate ones. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies customers before disclosing customer content so they can seek protection from disclosure. It is also important to point out that our customers can encrypt their customer content, and we provide customers with the option to manage their own encryption keys.
We know that transparency matters to our customers, so we regularly publish a report about the types and volume of information requests we receive on the Amazon Information Requests webpage.
Where is customer content stored?
AWS datacenters are built in clusters in various AWS Regions around the globe. As a customer, you choose the AWS Region(s) in which your customer content is stored, allowing you to deploy AWS services in the location(s) of your choice, in accordance with your specific geographic requirements. For example, if an AWS customer in Australia wants to ensure their data is located only in Australia, they can choose to deploy their AWS services exclusively in the Asia Pacific (Sydney) AWS Region.
You can replicate and back up your customer content in more than one AWS Region, and we will not move or replicate your customer content outside of your chosen AWS Region(s) unless you change your AWS Region selection. However, it is important to note that all AWS services may not be available in all AWS Regions. For more information about AWS Regions, see the AWS Global Infrastructure webpage. For more information about which services are available in which AWS Regions, see the AWS Regions webpage.
What is my role in securing my content?
When evaluating the security of a cloud solution, it is important for you to understand and distinguish between the security of the cloud, and your security in the cloud. Security of the cloud encompasses the security measures that AWS implements and operates. We are responsible for security of the cloud. Security in the cloud encompasses the security measures that you implement and operate, related to the AWS services you use. You are responsible for your security in the cloud.
For a complete list of all the security measures built into our core AWS cloud infrastructure, platforms, and services, see the Overview of Security Processes whitepaper.
What is the EU-US Privacy Shield?
Recently, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, the European Commission formally adopted it. The EU-US Privacy Shield replaces Safe Harbor. Amazon Web Services (AWS) welcomes this new framework for transatlantic data flow.
To learn more about this topic in the context of AWS, visit our EU-US Privacy Shield page.
What steps does AWS take to protect my privacy?
AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance about ISO 27002 controls that is applicable to personally identifiable information (PII) processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage.