Privacy Features of AWS Services

AWS is vigilant about your privacy, and we provide the most flexible and secure cloud computing environment available today. With AWS, you own your data, you control its location, and you control who has access to it. We are transparent about how AWS services process the personal data you upload to your AWS account (customer data), and we provide capabilities that allow you to encrypt, delete, and monitor the processing of your customer data.

You can use AWS services with the confidence that your customer data stays in the AWS Region you select. A small number of AWS services involve the transfer of customer data, for example, to develop and improve those services, where you can opt-out of the transfer, or because transfer is an essential part of the service (such as a content delivery service). We prohibit, and our systems are designed to prevent, remote access by AWS personnel to customer data for any purpose, including service maintenance, unless access is requested by you, is required to prevent fraud and abuse, or to comply with law.

Below we provide an overview of the key privacy features of AWS Services which you can use to perform data transfer assessments in accordance with the Schrems II decision of the Court of Justice of the European Union, and the European Data Protection Board Recommendations on measures that supplement transfer tools.  

You can click on the underlined check marks in the below table for AWS documentation about how AWS services enable customers to encrypt, delete, and monitor the processing of their customer data.

AWS service Customer can encrypt Customer can delete Customer can monitor processing No remote access*
Amazon API Gateway โœ“ โœ“ โœ“ โœ“
Amazon AppFlow โœ“ โœ“ โœ“ โœ“
Amazon AppStream 2.0 โœ“ โœ“ โœ“ โœ“
Amazon AppStream 2.0 User Pools โœ“ โœ“ โœ“ โœ“
Amazon Athena โœ“ โœ“ โœ“ โœ“
Amazon Augmented AI (A2I) โœ“ โœ“ โœ“ โœ“
Amazon Aurora โœ“ โœ“ โœ“ โœ“
Amazon Bedrock1 โœ“ โœ“ โœ“ โœ“
Amazon Braket โœ“ โœ“ โœ“ โœ“
Amazon Chime โœ“ โœ“ โœ“ โœ“
Amazon Cloud Directory โœ“ โœ“ โœ“ โœ“
Amazon CloudFront โœ“ โœ“ โœ“ โœ“
Amazon CloudWatch โœ“ โœ“ โœ“ โœ“
Amazon CloudWatch Logs
 โœ“ โœ“ โœ“ โœ“
Amazon CodeGuru Profiler โœ“ โœ“ โœ“ โœ“
Amazon CodeGuru Reviewer โœ“ โœ“ โœ“ โœ“
Amazon Cognito โœ“ โœ“ โœ“ โœ“
Amazon Comprehend โœ“ โœ“ โœ“ โœ“
Amazon Connect2 โœ“ โœ“ โœ“ โœ“
Amazon Detective โœ“ โœ“ โœ“ โœ“
Amazon DocumentDB (with MongoDB compatibility) โœ“ โœ“ โœ“ โœ“
Amazon DynamoDB โœ“ โœ“ โœ“ โœ“
Amazon Elastic Block Store (Amazon EBS) โœ“ โœ“ โœ“ โœ“
Amazon Elastic Compute Cloud (Amazon EC2) โœ“ โœ“ โœ“ โœ“
Amazon Elastic Container Registry (Amazon ECR) โœ“ โœ“ โœ“ โœ“
Amazon Elastic Container Service (Amazon ECS) โœ“ โœ“ โœ“ โœ“
Amazon Elastic File System (Amazon EFS) โœ“ โœ“ โœ“ โœ“
Amazon Elastic Kubernetes Service (Amazon EKS) โœ“ โœ“ โœ“ โœ“
Amazon ElastiCache for Memcached3 โœ“2 โœ“ โœ“ โœ“
Amazon ElastiCache for Redis โœ“ โœ“ โœ“ โœ“
Amazon EMR โœ“ โœ“ โœ“ โœ“
Amazon EventBridge โœ“ โœ“ โœ“ โœ“
Amazon Forecast โœ“ โœ“ โœ“ โœ“
Amazon Fraud Detector โœ“ โœ“ โœ“ โœ“
Amazon FSx for Lustre โœ“ โœ“ โœ“ โœ“
Amazon FSx for ONTAP โœ“ โœ“ โœ“ โœ“
Amazon FSx for OpenZFS โœ“ โœ“ โœ“ โœ“
Amazon FSx for Windows File Server โœ“ โœ“ โœ“ โœ“
Amazon GameLift โœ“ โœ“ โœ“ โœ“
Amazon GuardDuty โœ“ โœ“ โœ“ โœ“
Amazon Healthlake โœ“ โœ“ โœ“ โœ“
Amazon Inspector โœ“ โœ“ โœ“ โœ“
Amazon Inspector Classic โœ“ โœ“ โœ“ โœ“
Amazon Interactive Video Service (IVS) โœ“ โœ“ โœ“ โœ“
Amazon Kendra โœ“ โœ“ โœ“ โœ“
Amazon Keyspaces โœ“ โœ“ โœ“ โœ“
Amazon Managed Service for Apache Flink for Java Applications โœ“ โœ“ โœ“ โœ“
Amazon Managed Service for Apache Flink for SQL Applications โœ“ โœ“ โœ“ โœ“
Amazon Kinesis Data Firehose โœ“ โœ“ โœ“ โœ“
Amazon Kinesis Data Streams โœ“ โœ“ โœ“ โœ“
Amazon Kinesis VideoStreams โœ“ โœ“ โœ“ โœ“
Amazon Lex โœ“ โœ“ โœ“ โœ“
Amazon Lightsail โœ“ โœ“ โœ“ โœ“
Amazon Location Service โœ“ โœ“ โœ“ โœ“
Amazon Macie โœ“ โœ“ โœ“ โœ“
Amazon Managed Blockchain (AMB) โœ“ โœ“ โœ“ โœ“
Amazon Managed Service for Grafana (AMG) โœ“ โœ“ โœ“ โœ“
Amazon Managed Service for Prometheus (AMP) โœ“ โœ“ โœ“ โœ“
Amazon Managed Streaming for Kafka (MSK) โœ“ โœ“ โœ“ โœ“
Amazon Managed Workflows for Apache Airflow (MWAA)  โœ“ โœ“ โœ“ โœ“
Amazon MemoryDB for Redis โœ“ โœ“ โœ“ โœ“
Amazon MQ โœ“ โœ“ โœ“ โœ“
Amazon Neptune โœ“ โœ“ โœ“ โœ“
Amazon OpenSearch Service  โœ“ โœ“ โœ“ โœ“
Amazon Personalize โœ“ โœ“ โœ“ โœ“
Amazon Pinpoint โœ“ โœ“ โœ“ โœ“
Amazon Polly โœ“ โœ“ โœ“ โœ“
Amazon Q Business โœ“ โœ“ โœ“ โœ“
Amazon Q Developer โœ“ โœ“ โœ“ โœ“
Amazon Quantum Ledger Database (QLDB) โœ“ โœ“ โœ“ โœ“
Amazon QuickSight2 โœ“ โœ“ โœ“ โœ“
Amazon Redshift โœ“ โœ“ โœ“ โœ“
Amazon Rekognition โœ“ โœ“ โœ“ โœ“
Amazon Relation Database Service (Amazon RDS) โœ“ โœ“ โœ“ โœ“
Amazon SageMaker โœ“ โœ“ โœ“ โœ“
Amazon Simple Email Service (Amazon SES) โœ“ โœ“ โœ“ โœ“
Amazon Simple Notification Service (Amazon SNS) โœ“ โœ“ โœ“ โœ“
Amazon Simple Queue Service (Amazon SQS) โœ“ โœ“ โœ“ โœ“
Amazon Simple Storage Service (Amazon S3) โœ“ โœ“ โœ“ โœ“
Amazon Simple Storage Service Glacier โœ“ โœ“ โœ“ โœ“
Amazon Simple Workflow Service (Amazon SWF) โœ“ โœ“ โœ“ โœ“
Amazon Textract โœ“ โœ“ โœ“ โœ“
Amazon Timestream โœ“ โœ“ โœ“ โœ“
Amazon Transcribe
 โœ“ โœ“ โœ“ โœ“
Amazon Translate โœ“ โœ“ โœ“ โœ“
Amazon Virtual Private Cloud (Amazon VPC) โœ“ โœ“ โœ“ โœ“
Amazon WorkDocs โœ“ โœ“ โœ“ โœ“
Amazon WorkLink โœ“ โœ“ โœ“ โœ“
Amazon WorkMail โœ“ โœ“ โœ“ โœ“
Amazon WorkSpaces
 โœ“ โœ“ โœ“ โœ“
Amazon WorkSpaces Application Manager (Amazon WAM) โœ“ โœ“ โœ“ โœ“
AWS Amplify โœ“ โœ“ โœ“ โœ“
AWS App Mesh โœ“ โœ“ โœ“ โœ“
AWS App Runner  โœ“ โœ“ โœ“ โœ“
AWS Application Discovery Service โœ“ โœ“ โœ“ โœ“
AWS Application Migration Service โœ“ โœ“ โœ“ โœ“
AWS AppSync โœ“ โœ“ โœ“ โœ“
AWS Audit Manager โœ“ โœ“ โœ“ โœ“
AWS Backup โœ“ โœ“ โœ“ โœ“
AWS Certificate Manager (ACM) โœ“ โœ“ โœ“ โœ“
AWS Clean Rooms โœ“ โœ“ โœ“ โœ“
AWS Cloud9 โœ“ โœ“ โœ“ โœ“
AWS CloudFormation โœ“ โœ“ โœ“ โœ“
AWS CloudHSM โœ“ โœ“ โœ“ โœ“
AWS CloudShell โœ“ โœ“ โœ“ โœ“
AWS CloudTrail โœ“ โœ“ โœ“ โœ“
AWS CodeArtifact โœ“ โœ“ โœ“ โœ“
AWS CodeBuild โœ“ โœ“ โœ“ โœ“
AWS CodeCommit โœ“ โœ“ โœ“ โœ“
AWS CodeDeploy โœ“ โœ“ โœ“ โœ“
AWS CodePipeline โœ“ โœ“ โœ“ โœ“
AWS CodeStar โœ“ โœ“ โœ“ โœ“
AWS Config โœ“ โœ“ โœ“ โœ“
AWS Control Tower โœ“ โœ“ โœ“ โœ“
AWS Database Migration Service (AWS DMS)  โœ“ โœ“ โœ“ โœ“
AWS Data Exchange โœ“ โœ“ โœ“ โœ“
AWS DataSync โœ“ โœ“ โœ“ โœ“
AWS Device Farm โœ“ โœ“ โœ“ โœ“
AWS Direct Connect โœ“ โœ“ โœ“ โœ“
AWS Directory Service โœ“ โœ“ โœ“ โœ“
AWS Elastic Beanstalk โœ“ โœ“ โœ“ โœ“
AWS Elastic Disaster Recovery โœ“ โœ“ โœ“ โœ“
AWS Elastic Transcoder โœ“ โœ“ โœ“ โœ“
AWS Elemental MediaConnect โœ“ โœ“ โœ“ โœ“
AWS Elemental MediaConvert
 โœ“ โœ“ โœ“ โœ“
AWS Elemental MediaLive
 โœ“ โœ“ โœ“ โœ“
AWS Elemental MediaPackage โœ“ โœ“ โœ“ โœ“
AWS Elemental MediaStore โœ“ โœ“ โœ“ โœ“
AWS Entity Resolution โœ“ โœ“ โœ“ โœ“
AWS Fargate โœ“ โœ“ โœ“ โœ“
AWS Firewall Manager โœ“ โœ“ โœ“ โœ“
AWS Global Accelerator โœ“ โœ“ โœ“ โœ“
AWS Glue โœ“ โœ“ โœ“ โœ“
AWS Glue DataBrew โœ“ โœ“ โœ“ โœ“
AWS IAM Identity Center   โœ“ โœ“ โœ“
AWS IoT Analytics โœ“ โœ“ โœ“ โœ“
AWS IoT Core โœ“ โœ“ โœ“ โœ“
AWS IoT Device Management โœ“ โœ“ โœ“ โœ“
AWS IoT Events โœ“ โœ“ โœ“ โœ“
AWS IoT Greengrass V1
 โœ“ โœ“ โœ“ โœ“
AWS IoT Greengrass V2 โœ“ โœ“ โœ“ โœ“
AWS IoT SiteWise โœ“ โœ“ โœ“ โœ“
AWS IoT Things Graph โœ“ โœ“ โœ“ โœ“
AWS IQ โœ“ โœ“ โœ“ โœ“
AWS Key Management Service (AWS KMS) โœ“ โœ“ โœ“ โœ“
AWS Lake Formation โœ“ โœ“ โœ“ โœ“
AWS Lambda โœ“ โœ“ โœ“ โœ“
AWS License Manager โœ“ โœ“ โœ“ โœ“
AWS Migration Hub โœ“ โœ“ โœ“ โœ“
AWS OpsWorks for Chef Automate โœ“ โœ“ โœ“ โœ“
AWS OpsWorks for Puppet Enterprise โœ“ โœ“ โœ“ โœ“
AWS OpsWorks Stacks โœ“ โœ“ โœ“ โœ“
AWS Outposts โœ“ โœ“ โœ“ โœ“
AWS RoboMaker โœ“ โœ“ โœ“ โœ“
AWS Secrets Manager โœ“ โœ“ โœ“ โœ“
AWS Security Hub โœ“ โœ“ โœ“ โœ“
AWS Serverless Application Repository
 โœ“ โœ“ โœ“ โœ“
AWS Service Catalog โœ“ โœ“ โœ“ โœ“
AWS Snowball Edge
 โœ“ โœ“ โœ“ โœ“
AWS Snowcone โœ“ โœ“ โœ“ โœ“
AWS Snowmobile โœ“ โœ“ โœ“ โœ“
AWS Step Functions โœ“ โœ“ โœ“ โœ“
AWS Storage Gateway for FSx File Gateway โœ“ โœ“ โœ“ โœ“
AWS Storage Gateway for S3 File Gateway โœ“ โœ“ โœ“ โœ“
AWS Storage Gateway for Tape Gateway โœ“ โœ“ โœ“ โœ“
AWS Storage Gateway for Volume Gateway โœ“ โœ“ โœ“ โœ“
AWS Supply Chain2 โœ“ โœ“ โœ“ โœ“
AWS Systems Manager โœ“ โœ“ โœ“ โœ“
AWS Transfer Family โœ“ โœ“ โœ“ โœ“
AWS WAF โœ“ โœ“ โœ“ โœ“
AWS X-Ray โœ“ โœ“ โœ“ โœ“
CloudEndure Disaster Recovery (an AWS Company) โœ“ โœ“ โœ“ โœ“
CloudEndure Migration (an AWS Company) โœ“ โœ“ โœ“ โœ“
Contact Lens for Amazon Connect โœ“ โœ“ โœ“ โœ“
FreeRTOS โœ“ โœ“ โœ“ โœ“
Show the list ยป
Show less ยป

* Unless access is requested by you, is required to prevent fraud and abuse, or to comply with law.

1 Processing occurs in conjunction with the foundational model (FM) you choose.

2 See the applicable service documentation for information about Amazon Q.

3. Amazon ElastiCache for Memcached supports encryption in transit. By design, Memcached doesnโ€™t provide persistent disk storage, and only stores data in memory for the time needed for customerโ€™s application. ElastiCache also supports memory encryption when choosing Graviton instances of family types r6g and m6g. All data-storing AWS services offer encryption.

AWS services that allow customers to opt-out of transfers of customer data

The following AWS services transfer customer data to develop and improve those services, and you can opt out of that transfer.  

  • Amazon CodeGuru Profiler
  • Amazon Comprehend
  • Amazon Connect*
  • Amazon Fraud Detector
  • Amazon GuardDuty**
  • Amazon Lex
  • Amazon Polly
  • Amazon Rekognition
  • Amazon Textract
  • Amazon Transcribe
  • Amazon Translate
  • AWS Supply Chain

* This entry encompasses, for example, Amazon Connect Customer Profiles and Amazon Connect outbound campaigns, as well as Amazon Q features that are available in Amazon Connect.
** This AWS service will involve a transfer to the extent you have enabled the new Amazon GuardDuty Malware Protection feature.

Show the list ยป
Show less ยป

AWS services that transfer customer data as an essential function of the service

The following AWS services transfer customer data as an essential function of the service. For example, if you choose to send messages via Amazon Simple Notification Service, the content of those messages will transfer to the location of the recipients.  

  • Amazon AppStream 2.0 User Pool
  • Amazon Chime
  • Amazon CloudFront
  • Amazon Cognito*
  • AWS IAM Identity Center**
  • Amazon Interactive Video Service (IVS)
  • Amazon Location Service
  • Amazon Pinpoint
  • Amazon Simple Email Service
  • Amazon Simple Notification Service
  • Amazon WorkMail
  • AWS Elemental MediaConnect
  • AWS IoT Core***

* In certain circumstances, Amazon Cognito uses Amazon Simple Email Service (Amazon SES) to send user emails and Amazon Simple Notification Service (Amazon SNS) to send user SMS text messages. If Amazon SES is not available in Region, Amazon Cognito calls Amazon SESโ€™ endpoints in a different AWS Region. More information can be found here. Similarly, if Amazon SNS is not available in Region, Amazon Cognito calls Amazon SNSโ€™ endpoints in a different AWS Region. More information can be found here.
** In certain circumstances, AWS IAM Identity Center uses Amazon Simple Email Service (Amazon SES) to send user emails. If Amazon SES is not available in Region, IAM Identity Center calls Amazon SESโ€™ endpoints in a different AWS Region. More information can be found here.
*** To the extent you use the IoT Core for Amazon Sidewalk feature, or the Device Location feature supported by HERE is enabled.

Show the list ยป
Show less ยป
Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today ยป
Want AWS Compliance updates?
Follow us on Twitter ยป