Privacy and Data Protection Consideration in Amazon AWS
Working with customers large and small, the question that sometimes comes up in consultation and discussion from customers is the need to know how their data and privacy is protected if they move/migrate their workloads and in some cases sensitive data to AWS. AWS has been very transparent in divulging this information with customers. This information and many other documentations can be found in the AWS Compliance Resources page. Here is a summary of what customers need to know on this topic as they navigate their way into using AWS public cloud.
AWS customer maintains ownership and control of their content, including control over what content they choose to store or process using AWS services, which AWS services they use with their content, the Region(s) where their content is stored, the format, structure and security of their content, including whether it is masked, anonymized or encrypted, and who has access to their AWS accounts and content and how those access rights are granted, managed and revoked.
AWS provides customers with native and third-party tools to assist customer in securing and safeguarding their cloud accounts. Alternatively, “customers are also free to design and execute security assessments according to their own preferences and can request permission to conduct scans of their cloud infrastructure as long as those scans are limited to the customer’s compute instances.”
Because customers might have geographic and other regional compliance requirements, customers have the freedom to choose the AWS Region or Regions in which their content and servers will be located. AWS clearly state, they will not move customer contents from a chosen region without the customer’s consent, except as legally required.
On whom is allowed to access customer data in AWS, customers have the complete control to manage access controls, such as identity access management, permissions and security credentials which allow them to control the entire life cycle of their content on AWS and manage their content in accordance with their own specific needs, including content classification, access control, retention, and deletion.
AWS will not access or use customer content without the customer’s consent, except as legally required and will never uses customer content or derives information from it for other purposes such as marketing or advertising. AWS states it is their practice is to notify customers where practicable before disclosing their content so they can seek protection from disclosure unless we are legally prohibited from doing so or there is clear indication of illegal conduct in connection with the use of AWS services.
Read more about Amazon Web Services Data Privacy.
