Clarifying Lawful Overseas Use of Data (CLOUD) Act

We believe customers should maintain control of their own data. AWS is architected to be the most secure global cloud infrastructure on which to build, migrate, and manage applications and workloads, and we are committed to providing our customers with industry-leading privacy and security protections when using our services.

AWS has designed products and services that make sure that no one—not even AWS operators—can access customer content. We can only respond to legal requests for data where we have the technical ability to do so. AWS customers have a range of technical measures and operational controls to prevent access to data. For example, many of the AWS core systems and services are designed with zero operator access, meaning the services don’t have any technical means for AWS operators to access customer data.

The AWS Nitro System, which is the foundation of AWS computing services, uses specialized hardware and software to protect data from outside access during processing on Amazon Elastic Compute Cloud (Amazon EC2). By providing a strong physical and logical security boundary, Nitro is designed so that no unauthorized person—not even AWS operators—can access customer workloads on EC2. The design of the Nitro System has been validated by the NCC Group, an independent cybersecurity firm. The controls that help prevent operator access are so fundamental to the Nitro System that we’ve added them in our AWS Service Terms to provide an additional contractual assurance to all of our customers.

We also give customers features and controls to encrypt data, whether in transit, at rest, or in memory. All AWS services already support encryption, with most also supporting encryption with customer managed keys that are inaccessible to AWS. Encrypted content is useless without the applicable decryption keys.

For more information about our services that support zero operator access, see Operator Access on AWS.

The CLOUD Act was enacted in March 2018 to speed up law enforcement’s ability to obtain electronic information held by service providers in investigations of serious crime ranging from terrorism and violent crime to sexual exploitation of children and cybercrime. (See CLOUD Act Resources on the U.S. Department of Justice Website.) Testimony provided by U.S. Department of Justice (DOJ) officials advocating for the legislation placed the focus of the CLOUD Act on the ability of law enforcement around the world to compel data in cross-border investigations involving serious crimes. (See Testimony of Richard Downing, DOJ, Deputy Assistant Attorney General, before the House Judiciary Committee on June 15, 2017.)

U.S. law enforcement can compel content data from service providers only with a warrant authorized by an independent federal judge in accordance with U.S. criminal procedures. For a warrant to be issued under U.S. law, a U.S. judge must be convinced that there is probable cause to believe a crime has occurred and that evidence of that crime will be found in the place to be searched, as specified by the warrant (that is, data in a specific electronic account such as an email account). This legal standard must be established through specific and trustworthy facts. Each and every search warrant must pass this stringent probable cause determination with regard to credible facts, particularity, and legality, must be approved by an independent judge, and must meet requirements regarding scope and jurisdiction.

Foreign governments requesting data pursuant to a CLOUD Act executive agreement with the U.S. must meet similar requirements. The DOJ has explained that “[o]rders requesting data under the CLOUD Act must be lawfully obtained under the domestic system of the country seeking the data; must target specific individuals or accounts; must have a reasonable justification based on articulable and credible facts, particularity, legality, and severity; and must be subject to review or oversight by an independent authority, such as a judge or magistrate. Bulk data collection is not permitted."

DOJ also issued a policy in May 2023 that prosecutors should contact the Department’s Office of International Affairs (OIA) when they become aware that they need evidence located in another country. It requires that prosecutors seeking evidence known to be located abroad, must obtain approval from OIA prior to obtaining an order to compel disclosure of such evidence from a provider in the U.S. The DOJ policy on evidence abroad notes that every nation enacts laws to protect its sovereignty; OIA works to address these issues and assist prosecutors in selecting an appropriate mechanism to secure evidence.

As of June 2025, there have been no data requests to AWS that resulted in disclosure of enterprise or government content data stored outside the U.S. to the U.S. government since we started reporting this statistic. This record reflects the robust legal protections within U.S. law and policies implemented by the U.S. Department of Justice, in addition to technical safeguards AWS offers.

The DOJ’s Computer Crime and Intellectual Property Section issued guidance in 2017 advising prosecutors to seek data from an enterprise, such as a company that stores data with a cloud provider rather than from the provider, absent special circumstances. This provides important guidance to prosecutors to seek data directly from enterprises. When we receive such requests for enterprise customer content, we make every reasonable effort to redirect law enforcement to the customer and notify the customer when legally permitted.

No. The CLOUD Act applies to all electronic communication service or remote computing service providers that operate or have a legal presence in the U.S. For example, the CLOUD Act is also applicable to a cloud service provider that is headquartered in the EU and has operations in the United States. OVHcloud, a French headquartered cloud services provider that operates in the U.S., notes in its CLOUD Act FAQ page that “OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that can include data stored outside of the United States."

Under U.S. law, executive actions cannot create new laws or contradict existing laws passed by Congress, such as the CLOUD Act.

No. Many countries require disclosure of customer data wherever it’s stored in response to legal process involving serious crimes. This concept is enshrined within the Budapest Convention on Cybercrime, which was the first international treaty aimed at improving cooperation in investigations of cybercrimes. For example, the United Kingdom’s Crime (Overseas Production Orders) Act, allows United Kingdom (U.K.) law enforcement agencies to obtain stored electronic data located outside of the U.K. in connection to a criminal investigation. According to a 2024 filing by the U.S. DOJ, the laws of several European member states, including Belgium, Denmark, France, Ireland, and Spain have similar requirements.

We have very detailed procedures for handling law enforcement requests from any country. We do not disclose customer data in response to law enforcement requests unless we are obligated to do so by a legally valid and binding order as we have publicly committed in the Supplementary Addendum to the AWS Data Processing Addendum. When we receive a request from law enforcement, we carefully examine it to validate legitimacy and to verify that it complies with applicable law. If AWS receives a legally valid and binding request for enterprise customer content, AWS will use every reasonable effort to redirect law enforcement to the customer and will notify the customer if legally permitted. AWS will challenge requests that conflict with the law, are overbroad, or otherwise inappropriate as we have publicly committed in the Supplementary Addendum to the AWS Data Processing Addendum. If AWS remains compelled to disclose customer data after exhausting these steps, and we have the technical ability to do so, we disclose only the minimum necessary to satisfy the request. For more information on our approach to law enforcement requests, visit our Law Enforcement Information Requests page.

No. The CLOUD Act does not create any new authority for law enforcement to compel service providers to decrypt communications.

AWS gives customers features and controls to encrypt data, whether in transit, at rest, or in memory. All AWS services already support encryption, with most also supporting encryption with customer managed keys that are inaccessible to AWS. Encrypted content is useless without the applicable decryption keys.

AWS contractually commits to comply with applicable data protection laws. We also commit to challenge any overbroad or inappropriate request from a governmental body (including where such a request conflicts with the applicable laws of the European Union or those of a Member State).

No. The CLOUD Act does not change another country’s local laws. In fact, the CLOUD Act recognized the right for service providers to challenge requests that conflict with another country's laws or national interests.