skip to content

IT Help and Support

University Information Services
 

AWS is a wrapper for many intermittently changing cloud services delivered through the Amazon platform. One significant advantage of using AWS is that it provides a wide range of high level security and compliance related certifications. However, there are important considerations that need to be evaluated before taking any service from the AWS portfolio which are outlined on this page.

Contractual issues

Every service provided by AWS uses a shared security responsibility model. Note that the boundaries between those elements of security that remain your responsibility and those that become the responsibility of the service you are taking varies by service. You must ensure you understand which aspects of security you remain responsible for on a per service basis and take appropriate measures to protect and secure any data transferred to, processed by, or stored in each service you take. 

 

You must evaluate the relative advantages, disadvantages and any associated risk of transferring and/or processing data for every service you take under the AWS framework agreement. Each service is provided on an as-is basis; contractual liabilities cannot be re-negotiated or adapted to accommodate specific use cases. Particular care should be taken when evaluating services that will be used where a third party is involved, such as a research funder or commercial client, as AWS strictly limits on any liabilities that arise from its use. You are strongly advised to check with any such third party that your proposed use of AWS is acceptable to them before contracting individual services or transferring any data to those services.

As the University's framework agreement places low limits on any liability in favour of AWS, you must consider the following when evaluating each service:

  • Service description: You are solely responsible for assessing whether any particular service will meet your needs based on the published description.
  • Pricing: Note that this includes any charges for data transfer and storage and that the pricing model in use can be varied by AWS during the life of any agreement.
  • Configuration: You are responible for ensuring that you have chosen configuration options that are appropriate for any data transferred to AWS. Multiple training options are available to assist you in developing greater expertise in using and configuring AWS.
  • Data: The nature and classification of any data you are considering transferring to, or processing in, AWS.
  • Data protection:

    Using AWS does not dispense with the need to comply with Data Protection legislation (DPIAs etc) for personal data. If any personal data is to be transferred, processed or stored in a service note this on your order form and ensure that you have also formally notified AWS by sending an email to 

  • Security: If any special security considerations apply to data being transferred, processed or stored in AWS these must be explicitly available in the published AWS Service Description. You must also make sure that you have ensured that the required security settings have been configured and applied to your data.

  • Milestones: Some services have milestones. You must state your acceptance criteria to ensure that the features of the service you require are fulfilled before being obliged to pay for that service.
  • Terminology: Ensure that you use the correct terminology when stipulating the limits of how AWS may process any data you transfer to one or more Service. This applies to any data, but is especially important with regards to personal data.
  • Payments: AWS is billed monthly, retrospectively based on actual use. AWS' payment terms require you to settle all invoices strictly within 30 days of receipt.
  • Offboarding and exit strategy: You are responsible for backing up any data you have transferred to AWS. All data held by a Service will be deleted within 30 days of termination of that Service.
  • Funder requirements: Check and confirm any funder requirements relating to Open Access. AWS must ensure it has third party clearance so that you can publish any output as open source.
  • Privacy: Check the relevant privacy policy for each AWS Service about what metadata and any other information AWS collects relating to your use to ensure that it is appropriate for your use case(s).
  • Intellectual property rights: You must specify any IP rights that you require when engaging AWS to provide a professional service. For example this could include reports generated, analyses undertaken and any code developed. The default position is that AWS retains such IP rights.

Key compliance tasks for University staff

Under the UIS agreement there are a number of aspects where IT Managers must comply with AWS requirements when first setting up their AWS Organization, or when adding any new AWS products:

  • You must at all times comply with the AWS Acceptable Use Policy
  • Ensure you select the correct Supplier region
  • Ensure you report any account IDs that will be governed by the Framework agreement to
  • Ensure you report any use of personal data to
  • Ensure that if you are transferring personal data to AWS you have familiarised yourself with AWS' data protection and security arrangements, agree to them and have purchased AWS Business support as a minimum support level
  • Ensure that if you are transferring personal data to AWS you have put appropriate security measures in place under AWS' shared security model
  • Ensure that the AWS environmental policy meets your needs and any University policies relating to sustainability
  • Ensure that you have evaluated whether AWS is appropriate for the storage and processing of any valuable data, which includes but is not limited to personal data. 
  • Ensure that if taking any Professional Services or Training from AWS that you make available staff with the appropriate level of expertise to agree one or more Statements of Work on behalf of your Institution with AWS.

Contractual obligations on AWS

You should be aware that the University's agreement with AWS places significant limits on any liability on the part of AWS. However, AWS remains responsible for:

  • Implementing appropriate organisational, operational and technological processes to keep the your Data safe from unauthorised use or access, loss, destruction, theft or disclosure.
  • Notifying you if it becomes aware that any data you have stored in AWS has become corrupted, lost, breached or degraded and will comply with any reasonable action suggested by you to recover such data. This will be at AWS' cost if AWS is responsible for such loss. 
  • Assisting you in complying with your obligations in respect of data protection impact assessments and prior consultation in line with Articles 35 and 36 of the GDPR, by providing the ISO 27001, 27017 & 27018 Certifications, relevant SOC Reports and annual Audit report (subject to a Non-Disclosure Agreement).