- AWSβΊ
- Security, Identity, and Compliance
Privacy Features of AWS Services
AWS is vigilant about your privacy, and we provide the most flexible and secure cloud computing environment available today. With AWS, you own your data, you control its location, and you control who has access to it. We are transparent about how AWS services process the personal data you upload to your AWS account (customer data), and we provide capabilities that allow you to encrypt, delete, and monitor the processing of your customer data.
You can use AWS services with the confidence that your customer data stays in the AWS Region you select. A small number of AWS services involve the transfer of customer data, for example, to develop and improve those services, where you can opt-out of the transfer, or because transfer is an essential part of the service (such as a content delivery service). We prohibit, and our systems are designed to prevent, remote access by AWS personnel to customer data for any purpose, including service maintenance, unless access is requested by you, is required to prevent fraud and abuse, or to comply with law. For more information on how AWS designs its systems to prevent unauthorized access by AWS personnel to customer data, you can learn more on our webpage for Operator Access on AWS.
Below we provide an overview of the key privacy features of AWS Services, which you can use to perform data transfer assessments in accordance with the Schrems II decision of the Court of Justice of the European Union, and the European Data Protection Board Recommendations 01/2020 on measures that supplement transfer tools. For more information, please see our whitepaper on Navigating GDPR Compliance on AWS.
See the AWS Security Documentation for more information about how the AWS services listed below enable customers to encrypt, delete, and monitor the processing of their customer data.
| AWS service | Customer can encrypt | Customer can delete | Customer can monitor processing | No remote access* |
|---|---|---|---|---|
| Amazon API Gateway | β | β | β | β |
| Amazon AppFlow | β | β | β | β
|
| Amazon AppStream 2.0 | β | β | β | β
|
| Amazon AppStream 2.0 User Pools | β | β | β | β
|
| Amazon Athena | β | β | β | β
|
| Amazon Augmented AI (A2I) | β | β
|
β | β |
| Amazon Aurora | β | β | β | β
|
| Amazon Bedrock1 | β | β | β | β
|
| Amazon Braket | β | β | β | β |
| Amazon Chime | β | β | β | β
|
| Amazon Cloud Directory | β | β | β | β
|
| Amazon CloudFront | β | β | β | β
|
| Amazon CloudWatch | β | β | β | β
|
| Amazon CloudWatch Logs
|
β | β | β | β
|
| Amazon CodeGuru Profiler | β | β | β | β |
| Amazon CodeGuru Reviewer | β | β | β | β
|
| Amazon Cognito | β | β | β | β
|
| Amazon Comprehend | β | β | β | β
|
| Amazon Connect2 | β | β | β | β
|
| Amazon Detective | β | β | β | β
|
| Amazon DocumentDB (with MongoDB compatibility) | β | β | β | β
|
| Amazon DynamoDB | β | β | β | β
|
| Amazon Elastic Block Store (Amazon EBS) | β | β | β | β
|
| Amazon Elastic Compute Cloud (Amazon EC2) | β | β | β | β
|
| Amazon Elastic Container Registry (Amazon ECR) | β | β | β
|
β
|
| Amazon Elastic Container Service (Amazon ECS) | β | β | β | β
|
| Amazon Elastic File System (Amazon EFS) | β | β
|
β
|
β
|
| Amazon Elastic Kubernetes Service (Amazon EKS) | β | β
|
β
|
β
|
| Amazon ElastiCache for Memcached3 | β2 | β | β
|
β
|
| Amazon ElastiCache for Redis | β | β
|
β
|
β
|
| Amazon EMR | β | β
|
β
|
β
|
| Amazon EventBridge | β | β
|
β
|
β
|
| Amazon Forecast | β | β
|
β
|
β |
| Amazon Fraud Detector | β | β
|
β
|
β
|
| Amazon FSx for Lustre | β | β | β
|
β
|
| Amazon FSx for ONTAP | β | β
|
β
|
β
|
| Amazon FSx for OpenZFS | β | β
|
β
|
β
|
| Amazon FSx for Windows File Server | β | β
|
β
|
β
|
| Amazon GameLift | β | β
|
β
|
β
|
| Amazon GuardDuty | β | β
|
β
|
β
|
| Amazon Healthlake | β | β | β | β
|
| Amazon Inspector | β | β
|
β
|
β
|
| Amazon Inspector Classic | β | β
|
β
|
β
|
| Amazon Interactive Video Service (IVS) | β | β
|
β
|
β
|
| Amazon Kendra | β | β
|
β
|
β
|
| Amazon Keyspaces | β | β | β | β
|
| Amazon Managed Service for Apache Flink for Java Applications | β | β
|
β
|
β
|
| Amazon Managed Service for Apache Flink for SQL Applications | β | β
|
β
|
β
|
| Amazon Kinesis Data Firehose | β | β
|
β
|
β
|
| Amazon Kinesis Data Streams | β | β
|
β
|
β
|
| Amazon Kinesis VideoStreams | β | β
|
β
|
β
|
| Amazon Lex | β | β
|
β
|
β
|
| Amazon Lightsail | β | β
|
β
|
β
|
| Amazon Location Service | β | β
|
β
|
β
|
| Amazon Macie | β | β
|
β
|
β
|
| Amazon Managed Blockchain (AMB) | β | β
|
β
|
β
|
| Amazon Managed Service for Grafana (AMG) | β | β
|
β
|
β
|
| Amazon Managed Service for Prometheus (AMP) | β | β
|
β
|
β
|
| Amazon Managed Streaming for Kafka (MSK) | β | β
|
β
|
β
|
| Amazon Managed Workflows for Apache Airflow (MWAA) | β | β
|
β
|
β
|
| Amazon MemoryDB for Redis | β | β
|
β
|
β
|
| Amazon MQ | β | β
|
β
|
β
|
| Amazon Neptune | β | β
|
β
|
β
|
| Amazon OpenSearch Service | β | β | β | β
|
| Amazon Personalize | β | β | β | β
|
| Amazon Pinpoint | β | β | β | β
|
| Amazon Polly | β | β | β | β
|
| Amazon Q Business | β | β | β | β
|
| Amazon Q Developer | β | β | β | β
|
| Amazon QuickSight2 | β | β | β | β
|
| Amazon Redshift | β | β | β | β
|
| Amazon Rekognition | β | β
|
β
|
β
|
| Amazon Relational Database Service (Amazon RDS) | β | β
|
β
|
β
|
| Amazon SageMaker | β | β
|
β
|
β |
| Amazon Simple Email Service (Amazon SES) | β | β
|
β
|
β
|
| Amazon Simple Notification Service (Amazon SNS) | β | β
|
β
|
β
|
| Amazon Simple Queue Service (Amazon SQS) | β | β | β | β
|
| Amazon Simple Storage Service (Amazon S3) | β | β
|
β
|
β
|
| Amazon Simple Storage Service Glacier | β | β
|
β
|
β
|
| Amazon Simple Workflow Service (Amazon SWF) | β | β
|
β
|
β
|
| Amazon Textract | β | β
|
β
|
β
|
| Amazon Timestream | β | β
|
β
|
β
|
| Amazon Transcribe
|
β | β
|
β
|
β
|
| Amazon Translate | β | β
|
β
|
β
|
| Amazon Virtual Private Cloud (Amazon VPC) | β | β
|
β
|
β
|
| Amazon WorkDocs | β | β
|
β
|
β
|
| Amazon WorkLink | β | β
|
β
|
β
|
| Amazon WorkMail | β | β
|
β
|
β
|
| Amazon WorkSpaces
|
β | β
|
β
|
β
|
| Amazon WorkSpaces Application Manager (Amazon WAM) | β | β
|
β
|
β
|
| AWS Amplify | β | β
|
β
|
β
|
| AWS App Mesh | β | β
|
β
|
β
|
| AWS App Runner | β | β | β
|
β
|
| AWS Application Discovery Service | β
|
β
|
β
|
β
|
| AWS Application Migration Service | β
|
β
|
β
|
β
|
| AWS AppSync | β
|
β
|
β
|
β
|
| AWS Audit Manager | β
|
β
|
β
|
β
|
| AWS Backup | β
|
β
|
β
|
β
|
| AWS Certificate Manager (ACM) | β
|
β
|
β
|
β
|
| AWS Clean Rooms | β
|
β
|
β
|
β
|
| AWS Cloud9 | β
|
β
|
β
|
β
|
| AWS CloudFormation | β
|
β
|
β
|
β
|
| AWS CloudHSM | β
|
β
|
β
|
β
|
| AWS CloudShell | β
|
β
|
β
|
β
|
| AWS CloudTrail | β
|
β
|
β
|
β
|
| AWS CodeArtifact | β
|
β
|
β
|
β |
| AWS CodeBuild | β
|
β
|
β
|
β
|
| AWS CodeCommit | β
|
β
|
β
|
β
|
| AWS CodeDeploy | β
|
β
|
β
|
β
|
| AWS CodePipeline | β
|
β
|
β
|
β
|
| AWS CodeStar | β
|
β
|
β
|
β
|
| AWS Config | β
|
β
|
β
|
β
|
| AWS Control Tower | β
|
β
|
β
|
β
|
| AWS Database Migration Service (AWS DMS) | β
|
β
|
β
|
β
|
| AWS Data Exchange | β
|
β
|
β
|
β
|
| AWS DataSync | β
|
β
|
β
|
β
|
| AWS Device Farm | β
|
β
|
β
|
β
|
| AWS Direct Connect | β
|
β
|
β
|
β
|
| AWS Directory Service | β
|
β
|
β
|
β
|
| AWS Elastic Beanstalk | β
|
β
|
β
|
β
|
| AWS Elastic Disaster Recovery | β
|
β
|
β
|
β
|
| AWS Elastic Transcoder | β
|
β
|
β
|
β
|
| AWS Elemental MediaConnect | β
|
β
|
β
|
β
|
| AWS Elemental MediaConvert
|
β
|
β
|
β
|
β
|
| AWS Elemental MediaLive
|
β
|
β
|
β
|
β
|
| AWS Elemental MediaPackage | β
|
β
|
β
|
β
|
| AWS Elemental MediaStore | β
|
β
|
β
|
β
|
| AWS Entity Resolution | β
|
β
|
β
|
β
|
| AWS Fargate | β
|
β
|
β
|
β
|
| AWS Firewall Manager | β
|
β
|
β
|
β
|
| AWS Global Accelerator | β
|
β
|
β
|
β
|
| AWS Glue | β
|
β
|
β
|
β
|
| AWS Glue DataBrew | β
|
β
|
β
|
β
|
| AWS IAM Identity Center | β
|
β
|
β
|
β
|
| AWS IoT Analytics | β
|
β
|
β
|
β
|
| AWS IoT Core | β
|
β
|
β
|
β
|
| AWS IoT Device Management | β
|
β
|
β
|
β
|
| AWS IoT Events | β
|
β
|
β
|
β
|
| AWS IoT Greengrass V1
|
β
|
β
|
β
|
β
|
| AWS IoT Greengrass V2 | β
|
β
|
β
|
β
|
| AWS IoT SiteWise | β
|
β
|
β
|
β
|
| AWS IoT Things Graph | β
|
β
|
β
|
β
|
| AWS IQ | β
|
β
|
β
|
β
|
| AWS Key Management Service (AWS KMS) | β
|
β
|
β
|
β
|
| AWS Lake Formation | β
|
β
|
β
|
β
|
| AWS Lambda | β
|
β
|
β
|
β
|
| AWS License Manager | β
|
β
|
β
|
β
|
| AWS Migration Hub | β
|
β
|
β
|
β
|
| AWS Outposts | β
|
β
|
β
|
β
|
| AWS Secrets Manager | β
|
β
|
β
|
β
|
| AWS Security Hub CPSM | β
|
β
|
β
|
β
|
| AWS Security Hub | β
|
β
|
β
|
β
|
| AWS Serverless Application Repository
|
β
|
β
|
β
|
β
|
| AWS Service Catalog | β
|
β
|
β
|
β
|
| AWS Snowball Edge
|
β
|
β
|
β
|
β
|
| AWS Snowcone | β
|
β
|
β
|
β
|
| AWS Snowmobile | β
|
β
|
β
|
β
|
| AWS Step Functions | β
|
β
|
β
|
β
|
| AWS Storage Gateway for FSx File Gateway | β
|
β
|
β
|
β
|
| AWS Storage Gateway for S3 File Gateway | β
|
β
|
β
|
β
|
| AWS Storage Gateway for Tape Gateway | β
|
β
|
β
|
β
|
| AWS Storage Gateway for Volume Gateway | β
|
β
|
β
|
β
|
| AWS Supply Chain2 | β
|
β | β
|
β
|
| AWS Systems Manager | β
|
β
|
β
|
β
|
| AWS Transfer Family | β
|
β
|
β
|
β
|
| AWS Transform | β
|
β
|
β
|
β
|
| AWS WAF | β
|
β
|
β
|
β
|
| AWS X-Ray | β
|
β
|
β
|
β
|
| CloudEndure Disaster Recovery (an AWS Company) | β
|
β
|
β
|
β
|
| CloudEndure Migration (an AWS Company) | β
|
β
|
β
|
β
|
| FreeRTOS | β
|
β
|
β
|
β
|
| Kiro | β
|
β
|
β
|
β
|
* Unless access is requested by you, is required to prevent fraud and abuse, or to comply with law.
1 Processing occurs in conjunction with the foundational model (FM) you choose.
2 See the applicable service documentation for information about Amazon Q.
3 Amazon ElastiCache for Memcached supports encryption in transit. By design, Memcached doesnβt provide persistent disk storage, and only stores data in memory for the time needed for customerβs application. ElastiCache also supports memory encryption when choosing Graviton instances of family types r6g and m6g. All data-storing AWS services offer encryption.
Transfers of Customer Data
For a small subset of services it is an essential function of the service that data is transferred from the AWS Region you have selected. For example, if you choose to send messages via Amazon Simple Notification Service to a recipient, the content of those messages will be transferred to the location of the recipients. See below for a list of similar AWS services.
- Amazon AppStream 2.0 User Pool
- Amazon Chime
- Amazon CloudFront
- Amazon Cognito*
- AWS IAM Identity Center**
- Amazon Interactive Video Service (IVS)
- Amazon Location Service
- AWS End User Messaging (formerly Amazon Pinpoint)
- Amazon Simple Email Service
- Amazon Simple Notification Service
- Amazon WorkMail
- AWS Elemental MediaConnect
- AWS IoT Core***
* In certain circumstances, Amazon Cognito uses Amazon Simple Email Service (Amazon SES) to send user emails and Amazon Simple Notification Service (Amazon SNS) to send user SMS text messages. If Amazon SES is not available in Region, Amazon Cognito calls Amazon SESβ endpoints in a different AWS Region. More information can be found here. Similarly, if Amazon SNS is not available in Region, Amazon Cognito calls Amazon SNSβ endpoints in a different AWS Region. More information can be found here.
** In certain circumstances, AWS IAM Identity Center uses Amazon Simple Email Service (Amazon SES) to send user emails. If Amazon SES is not available in Region, IAM Identity Center calls Amazon SESβ endpoints in a different AWS Region. More information can be found here.
*** To the extent you use the IoT Core for Amazon Sidewalk feature, or the Device Location feature supported by HERE is enabled.
In addition, some of our services use cross-region inference to improve performance or for other technical reasons, such as to help customers scale their generative AI workloads. See here for more information on cross-region inference services and AWS documentation.
Some AWS services can involve the transfer of customer data to develop and improve those services. You can opt out of these transfers by using the opt-out mechanisms indicated in the applicable Service Terms or AWS documentation.
- Amazon CodeGuru Profiler
- Amazon Comprehend
- Amazon Connect*
- Amazon Fraud Detector
- Amazon GuardDuty**
- Amazon Lex
- Amazon Polly
- Amazon Q Developer Free Tier
- Amazon Rekognition
- Amazon SageMaker Data Agent
- Amazon Textract
- Amazon Transcribe
- Amazon Translate
- AWS Entity Resolution
- AWS Security Hub
- AWS Supply Chain
- AWS Transform
- Kiro Free Tier / Individual subscribers
* This entry encompasses, for example, Contact Lens for Amazon Connect, Amazon Connect Customer Profiles, Amazon Connect outbound campaigns, Amazon Q in Connect, and Amazon Connect Forecasting, Capatcity Planning, and Scheduling. See Service Term 54.7.
** This AWS service will involve a transfer to the extent you have enabled the new Amazon GuardDuty Malware Protection feature.
AWS European Sovereign Cloud
For the AWS European Sovereign Cloud, moving data out of your selected AWS Region or remote access by AWS personnel is restricted even further than as described above, as explained in the white paper Overview of the AWS European Sovereign Cloud and the AWS European Sovereign Cloud Addendum.