skip to content

IT Help and Support

University Information Services
 

AWS uses a shared responsibility model for security and compliance. Broadly, in this AWS is responsible for securing the underlying infrastructure used to deliver its cloud services while you retain responsiblity for any data that your store within your AWS Organization. However, additionally you do continue to be responsible for some elements of security and compliance when using services covered the AWS framework agreement.

The division of responsibilities for security and compliance vary between different services offered under the AWS framework agreement. You must ensure that you are aware of the elements for which you retain responsibility on a per service basis. This is normally outlined in the service description.

 

Consequently when taking any service under the AWS framework agreement you must be aware of the following:

  • AWS is responsible for securing the underlying infrastructure used to deliver its services. However, you may remain responsible for configuration settings relating to patches and maintenance. For example, in some services you may need to configure the periodicity and timings of when software updates are applied and any backups are scheduled.
  • AWS provides security and compliance information through AWS Artifact. You can use this to view Service Organization Control Reports, Payment Card Industry (PCI) Reports and check any certifications that apply to the AWS security controls in use on your AWS Organization account.

  • You can adjust the configuration settings for any service in the AWS console. Such adjustments may affect the security settings applied to your data and other arrangements relating to compliance. Training and support to assist you in developing expertise in how best to configure AWS for your needs is available.
  • The AWS General Data Protection Regulation (GDPR) Centre provides comprehensive information about how different AWS services comply with GDPR. The AWS Data Processing Addendum is incorporated into the AWS service terms.
  • You remain responsible for any data that you tranfer, process or store within AWS and the University continues to be the Data Controller for any such data. Consequently you must ensure that you have analysed the security and any data protection requirements for each of your AWS use cases and that these are appropriate for the data you intend to transfer to AWS.

If you are considering transferring, processing or storing any health data, including anonymised health data, in AWS you must consult in the Clinical School before any data transfers are made.

The University's AWS contractual terms specifically exclude AWS from any liability as a result of data loss.