AWS Global Export Compliance
Overview
Export laws govern the movement of certain hardware, software, technology, and content across international borders (i.e., from one country to another). AWS is subject to applicable export laws across the globe including the US ‘s dual-use Export Administration Regulations (EAR) and defense International Traffic in Arms Regulations (ITAR). This webpage is dedicated to dual-use export controls, and is for informational purposes only and does not constitute legal advice. Please see AWS ITAR Compliance for more information about the ITAR.
FAQs
-
How do export controls apply in the cloud?
Although the applicability of export laws to cloud services can vary by country, generally, the following are the three principles for how export controls apply in the cloud context:
- The provision of cloud services (including SaaS and IaaS) is not an export-controlled activity. Use of cloud hosted software is not an export-controlled activity as long as the software is not downloaded.
- See U.S. Department of Commerce, Bureau of Industry and Security Advisory Opinions from January 13, 2009, January 11, 2011 and November 13, 2014.
- The cross-border transmission of export-controlled content or software, using end-to-end encryption, is not an export-controlled activity until the export-controlled content is accessed in an unencrypted format by the end user. This is true regardless of the location of the servers used to transit the information so long as the content is not intentionally stored in a restricted country listed in Country Group D:5.
- Cloud users are responsible for any export compliance requirements that would arise when storing controlled content and/or transmitting it across international borders. For instance, if a cloud user transmits controlled content, without encryption, from country A to country B – and country A requires a license for sending it to country B – the cloud user would need to obtain the license for sending their controlled content to country B.
- See U.S. Department of Commerce, Bureau of Industry and Security Advisory Opinion from November 13, 2014.
- The provision of cloud services (including SaaS and IaaS) is not an export-controlled activity. Use of cloud hosted software is not an export-controlled activity as long as the software is not downloaded.
-
How does the AWS Shared Responsibility Model apply when customers transmit, process, and store data in AWS?
AWS is responsible for the logical and physical compliance of the cloud infrastructure and our services, and the compliance for AWS’s own controlled content. Customers are responsible for the content they bring to AWS, the services they choose to use, and how they configure it to meet their compliance obligations. Please see the AWS Shared Responsibility Model for more information.
AWS Classification Table
As mentioned above, the use of software in the cloud is not an export-controlled activity and therefore knowledge of the US ECCNs is not required as no license determination needs to be performed. If, however, the below AWS items were to be shipped or downloaded the below listed US ECCNs would apply.
| Product | ECCN | Product | ECCN |
|---|---|---|---|
| AWS Elemental Live | 5A992.c | Amazon Deadline Cloud | EAR99 |
| AWS DeepRacer | EAR99 | AWS DataSync | EAR99 |
| AWS Spark Kit | EAR99 | AWS Elastic Disaster Recovery | EAR99 |
| AWS Snowball Edge | 5A992.c | Security Token Service | EAR99 |
| AWS Panorama Appliance | 5A992.c | Palatine | EAR99 |
| AWS Snowcone | 5A992.c | AWS Elemental Live Software | EAR99 |
| AWS Elemental Server | 5A992.c | Amazon GameLift | EAR99 |
| AWS Storage Gateway | 5D992.c | AWS Lift | EAR99 |
| Amazon SageMaker | EAR99 | AWS Signer | 5D992.c |
| AWS Enterprise Management Module | EAR99 | AWS Panorama Appliance | 5D992.c |
| AWS Elemental Conductor Live Software | EAR99 | AWS Wickr | 5D992.c |
| AWS DeepComposer | EAR99 | Amazon Verified Permissions | 5D992.c |
| AWS Neuron Service | EAR99 | AWS HealthImaging | 5D992.c |
| AWS Thinkbox Sequoia | EAR99 | AWS Autoloop Vehicle Data Engine | 5D992.c |
| AWS CodeWhisperer | EAR99 | AWS WorkSpaces | 5D992.c |
| AWS Supply Chain | EAR99 | AWS CloudEndure Migration | 5D992.c |
| AWS Elastic Disaster Recovery | EAR99 | AWS CloudHSM | 5D992.c |
| End-of-Support Migration Program for Windows Server | EAR99 | AWS Client VPN | 5D992.c |
| AWS Toolkit for Visual Studio | EAR99 | AWS Migration Evaluator | 5D992.c |
| AWS HealthScribe | EAR99 | Amazon Simple Email Service | 5D992.c |
| AWS IoT TwinMaker | EAR99 | AWS Elastic Block Store | 5D992.c |
| AWS Microservice Extractor for .NET | EAR99 | AWS Web Application Firewall | 5D992.c |
| AWS Elemental MediaConnect | EAR99 | AWS SimSpace Weaver | 5D992.c |
| NICE DC | EAR99 | AWS AppStream 2.0 | 5D992.c |
| AWS Elemental Conductor File | EAR99 | Application Discovery Service Agentless Collector | 5D992.c |
| AWS IoT Site Wise | EAR99 | Amazon Elastic Container Service | 5D992.c |
| Amazon Rekognition | EAR99 | AWS Application Discovery Service | 5D992.c |
