Privacy Features of AWS Services

AWS is vigilant about your privacy, and we provide the most flexible and secure cloud computing environment available today. With AWS, you own your data, you control its location, and you control who has access to it. We are transparent about how AWS services process the personal data you upload to your AWS account (customer data), and we provide capabilities that allow you to encrypt, delete, and monitor the processing of your customer data.

You can use AWS services with the confidence that your customer data stays in the AWS Region you select. A small number of AWS services involve the transfer of customer data, for example, to develop and improve those services, where you can opt-out of the transfer, or because transfer is an essential part of the service (such as a content delivery service). We prohibit, and our systems are designed to prevent, remote access by AWS personnel to customer data for any purpose, including service maintenance, unless access is requested by you, is required to prevent fraud and abuse, or to comply with law.

Below we provide an overview of the key privacy features of AWS Services which you can use to perform data transfer assessments in accordance with the Schrems II decision of the Court of Justice of the European Union, and the European Data Protection Board Recommendations on measures that supplement transfer tools.  

You can click on the underlined check marks in the below table for AWS documentation about how AWS services enable customers to encrypt, delete, and monitor the processing of their customer data.

AWS service Customer can encrypt Customer can delete Customer can monitor processing No remote access*
Amazon API Gateway
Amazon AppFlow
Amazon AppStream 2.0
Amazon AppStream 2.0 User Pools
Amazon Athena
Amazon Augmented AI (A2I)
Amazon Aurora
Amazon Bedrock1
Amazon Braket
Amazon Chime
Amazon Cloud Directory
Amazon CloudFront
Amazon CloudWatch
Amazon CloudWatch Logs
Amazon CodeGuru Profiler
Amazon CodeGuru Reviewer
Amazon Cognito
Amazon Comprehend
Amazon Connect
Amazon Detective
Amazon DocumentDB (with MongoDB compatibility)
Amazon DynamoDB
Amazon Elastic Block Store (Amazon EBS)
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Elastic Container Registry (Amazon ECR)
Amazon Elastic Container Service (Amazon ECS)
Amazon Elastic File System (Amazon EFS)
Amazon Elastic Kubernetes Service (Amazon EKS)
Amazon ElastiCache for Memcached 2
Amazon ElastiCache for Redis
Amazon EMR
Amazon EventBridge
Amazon Forecast
Amazon Fraud Detector
Amazon FSx for Lustre
Amazon FSx for ONTAP
Amazon FSx for OpenZFS
Amazon FSx for Windows File Server
Amazon GameLift
Amazon GuardDuty
Amazon Healthlake
Amazon Inspector
Amazon Inspector Classic
Amazon Interactive Video Service (IVS)
Amazon Kendra
Amazon Keyspaces
Amazon Managed Service for Apache Flink for Java Applications
Amazon Managed Service for Apache Flink for SQL Applications
Amazon Kinesis Data Firehose
Amazon Kinesis Data Streams
Amazon Kinesis VideoStreams
Amazon Lex
Amazon Lightsail
Amazon Location Service
Amazon Macie
Amazon Managed Blockchain (AMB)
Amazon Managed Service for Grafana (AMG)
Amazon Managed Service for Prometheus (AMP)
Amazon Managed Streaming for Kafka (MSK)
Amazon Managed Workflows for Apache Airflow (MWAA) 
Amazon MemoryDB for Redis
Amazon MQ
Amazon Neptune
Amazon OpenSearch Service 
Amazon Personalize
Amazon Pinpoint
Amazon Polly
Amazon Quantum Ledger Database (QLDB)
Amazon QuickSight
Amazon Redshift
Amazon Rekognition
Amazon Relation Database Service (Amazon RDS)
Amazon SageMaker
Amazon Simple Email Service (Amazon SES)
Amazon Simple Notification Service (Amazon SNS)
Amazon Simple Queue Service (Amazon SQS)
Amazon Simple Storage Service (Amazon S3)
Amazon Simple Storage Service Glacier
Amazon Simple Workflow Service (Amazon SWF)
Amazon Textract
Amazon Timestream
Amazon Transcribe
Amazon Translate
Amazon Virtual Private Cloud (Amazon VPC)
Amazon WorkDocs
Amazon WorkLink
Amazon WorkMail
Amazon WorkSpaces
Amazon WorkSpaces Application Manager (Amazon WAM)
AWS Amplify
AWS App Mesh
AWS App Runner 
AWS Application Discovery Service
AWS Application Migration Service
AWS AppSync
AWS Audit Manager
AWS Backup
AWS Certificate Manager (ACM)
AWS Clean Rooms
AWS Cloud9
AWS CloudFormation
AWS CloudHSM
AWS CloudShell
AWS CloudTrail
AWS CodeArtifact
AWS CodeBuild
AWS CodeCommit
AWS CodeDeploy
AWS CodePipeline
AWS CodeStar
AWS Config
AWS Control Tower
AWS Database Migration Service (AWS DMS) 
AWS Data Exchange
AWS DataSync
AWS Device Farm
AWS Direct Connect
AWS Directory Service
AWS Elastic Beanstalk
AWS Elastic Disaster Recovery
AWS Elastic Transcoder
AWS Elemental MediaConnect
AWS Elemental MediaConvert
AWS Elemental MediaLive
AWS Elemental MediaPackage
AWS Elemental MediaStore
AWS Entity Resolution
AWS Fargate
AWS Firewall Manager
AWS Global Accelerator
AWS Glue
AWS Glue DataBrew
AWS IAM Identity Center
AWS IoT Analytics
AWS IoT Core
AWS IoT Device Management
AWS IoT Events
AWS IoT Greengrass V1
AWS IoT Greengrass V2
AWS IoT SiteWise
AWS IoT Things Graph
AWS IQ
AWS Key Management Service (AWS KMS)
AWS Lake Formation
AWS Lambda
AWS License Manager
AWS Migration Hub
AWS OpsWorks for Chef Automate
AWS OpsWorks for Puppet Enterprise
AWS OpsWorks Stacks
AWS Outposts
AWS RoboMaker
AWS Secrets Manager
AWS Security Hub
AWS Serverless Application Repository
AWS Service Catalog
AWS Snowball Edge
AWS Snowcone
AWS Snowmobile
AWS Step Functions
AWS Storage Gateway for FSx File Gateway
AWS Storage Gateway for S3 File Gateway
AWS Storage Gateway for Tape Gateway
AWS Storage Gateway for Volume Gateway
AWS Supply Chain
AWS Systems Manager
AWS Transfer Family
AWS WAF
AWS X-Ray
CloudEndure Disaster Recovery (an AWS Company)
CloudEndure Migration (an AWS Company)
Contact Lens for Amazon Connect
FreeRTOS

*Unless access is requested by you, is required to prevent fraud and abuse, or to comply with law.

1 Processing occurs in conjunction with the foundational model (FM) you choose.

2 Amazon ElastiCache for Memcached supports encryption in transit. By design, Memcached doesn’t provide persistent disk storage, and only stores data in memory for the time needed for customer’s application. ElastiCache also supports memory encryption when choosing Graviton instances of family types r6g and m6g. All data-storing AWS services offer encryption.

AWS services that allow customers to opt-out of transfers of customer data

The following AWS services transfer customer data to develop and improve those services, and you can opt out of that transfer.  

  • Amazon CodeGuru Profiler
  • Amazon Comprehend
  • Amazon Connect Customer Profiles
  • Amazon Connect Forecasting, Capacity Planning, and Scheduling
  • Amazon Connect outbound campaigns
  • Amazon Connect Wisdom
  • Amazon Fraud Detector
  • Amazon GuardDuty*
  • Amazon Lex
  • Amazon Polly
  • Amazon Q in Quicksight
  • Amazon Rekognition
  • Amazon Textract
  • Amazon Transcribe
  • Amazon Translate
  • AWS Supply Chain
  • Contact Lens for Amazon Connect

*This AWS service will involve a transfer to the extent you have enabled the new Amazon GuardDuty Malware Protection feature.

AWS services that transfer customer data as an essential function of the service

The following AWS services transfer customer data as an essential function of the service. For example, if you choose to send messages via Amazon Simple Notification Service, the content of those messages will transfer to the location of the recipients.  

  • Amazon AppStream 2.0 User Pool
  • Amazon Chime
  • Amazon CloudFront
  • Amazon Cognito*
  • AWS IAM Identity Center**
  • Amazon Interactive Video Service (IVS)
  • Amazon Location Service
  • Amazon Pinpoint
  • Amazon Simple Email Service
  • Amazon Simple Notification Service
  • Amazon WorkMail
  • AWS Elemental MediaConnect
  • AWS IoT Core***

* In certain circumstances, Amazon Cognito uses Amazon Simple Email Service (Amazon SES) to send user emails and Amazon Simple Notification Service (Amazon SNS) to send user SMS text messages. If Amazon SES is not available in Region, Amazon Cognito calls Amazon SES’ endpoints in a different AWS Region. More information can be found here. Similarly, if Amazon SNS is not available in Region, Amazon Cognito calls Amazon SNS’ endpoints in a different AWS Region. More information can be found here.
** In certain circumstances, AWS IAM Identity Center uses Amazon Simple Email Service (Amazon SES) to send user emails. If Amazon SES is not available in Region, IAM Identity Center calls Amazon SES’ endpoints in a different AWS Region. More information can be found here.
*** To the extent you use the IoT Core for Amazon Sidewalk feature, or the Device Location feature supported by HERE is enabled.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »