skip to primary navigationskip to content
 

Security and privacy for AWS

AWS uses a shared responsibility model for security and compliance. Broadly, in this AWS is responsible for securing the underlying infrastructure used to deliver its cloud services while you retain responsiblity for any data that your store within your AWS Organization. However, additionally you do continue to be responsible for some elements of security and compliance when using services covered the AWS framework agreement.

The division of responsibilities for security and compliance vary between different services offered under the AWS framework agreement. You must ensure that you are aware of the elements for which you retain responsibility on a per service basis. This is normally outlined in the service description.

 

Consequently when taking any service under the AWS framework agreement you must be aware of the following:

  • AWS is responsible for securing the underlying infrastructure used to deliver its services. However, you may remain responsible for configuration settings relating to patches and maintenance. For example, in some services you may need to configure the periodicity and timings of when software updates are applied and any backups are scheduled.
  • AWS provides security and compliance information through AWS Artifact. You can use this to view Service Organization Control Reports, Payment Card Industry (PCI) Reports and check any certifications that apply to the AWS security controls in use on your AWS Organization account.

  • You can adjust the configuration settings for any service in the AWS console. Such adjustments may affect the security settings applied to your data and other arrangements relating to compliance. Training and support to assist you in developing expertise in how best to configure AWS for your needs is available.
  • The AWS General Data Protection Regulation (GDPR) Centre provides comprehensive information about how different AWS services comply with GDPR. The AWS Data Processing Addendum is incorporated into the AWS service terms.
  • You remain responsible for any data that you tranfer, process or store within AWS and the University continues to be the Data Controller for any such data. Consequently you must ensure that you have analysed the security and any data protection requirements for each of your AWS use cases and that these are appropriate for the data you intend to transfer to AWS.

If you are considering transferring, processing or storing any health data, including anonymised health data, in AWS you must consult in the Clinical School before any data transfers are made.

The University's AWS contractual terms specifically exclude AWS from any liability as a result of data loss.

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin


A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

RSS Feed Latest news

University Map coverage expanded

Nov 20, 2020

The UIS map team have recently completed work on increasing the coverage of the University Map. They have also updated the search index and improved the underlying system that compiles and displays the map.

TechLink Community programme and updates: October 2020

Oct 29, 2020

More than 100 TechLink members registered to join UIS Director, Prof. Ian Leslie's online TechLink Community event on Tuesday 20 October.

View all news