GDPR Flashcards

1
Q

Customers have control of their customer data. With AWS, customers can:

A

1) Determine where their data will be stored, including the type of storage and geographic region.
2) Choose the secured state of their customer data. encryption in transit or at rest, and the option to manage their own encryption keys.
3) Manage access to their customer data and AWS services and resources through users, groups, permissions and credentials that customers control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does AWS classify customer information?

A

customer content
and
account information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does AWS classify customer content?

A

AWS defines customer content as software (including machine images), data, text, audio, video, or images that a customer or any end user transfers to us for processing, storage, or hosting by AWS services in connection with that customer’s account, and any computational results that a customer or any end user derives from the foregoing through their use of AWS services.

For example, customer content includes content that a customer or any end user stores in Amazon Simple Storage Service (S3).

Customer content does not include account information, which we describe below.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The terms of the AWS Customer Agreement and the AWS Service Terms apply

A

to your customer content.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does AWS define “account information”?

A

as information about a customer that a customer provides to us in connection with the creation or administration of a customer account.

For example, account information includes names, usernames, phone numbers, email addresses, and billing information associated with a customer account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The information practices described in the AWS Privacy Notice apply to

A

account information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who owns customer content at AWS?

A

As a customer, you maintain ownership of your content, and you select which AWS services can process, store, and host your content.

AWS does not access or use your content for any purpose without your agreement.

AWS never uses customer content or derive information from it for marketing or advertising.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who controls the customer content?

A

As a customer, you control your content.

  • You determine where your content will be stored, including the type of storage and geographic region of that storage.
  • You choose the secured state of your content. We offer customers industry-leading encryption features to protect your content in transit and at rest, and we provide you with the option to manage your own encryption keys.
  • You manage access to your content, and access to AWS services and resources through users, groups, permissions, and credentials that you control.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does AWS use customer account information?

A

The AWS Privacy Notice describes how we collect and use account information. We know that you care how account information is used, and we appreciate your trust that we will do so carefully and sensibly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What happens when AWS receives a legal request for customer content?

A

We are vigilant about our customers’ privacy. We will not disclose customer content unless we’re required to do so to comply with the law or a binding order of a governmental body.

If a governmental body sends AWS a demand for customer content, we will attempt to redirect the governmental body to request that data directly from the customer. Governmental and regulatory bodies need to follow the applicable legal process to obtain valid and binding orders. We review all orders and object to overbroad or otherwise inappropriate ones.

If compelled to disclose customer content to a government body, we will give customers reasonable notice of the demand to allow the customer to seek a protective order or other appropriate remedy unless AWS is legally prohibited from doing so.

It is also important to point out that our customers can encrypt their customer content, and we provide customers with the option to manage their own encryption keys.

We know that transparency matters to our customers, so we regularly publish a report about the types and volume of information requests we receive on the Amazon Information Requests webpage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Where is customer content stored at AWS?

A

Where the customer chooses

-the AWS Region(s) in accordance with your specific geographic requirements.

You can replicate and back up your customer content in more than one AWS Region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the customer’s role in securing their content?

A

When evaluating the security of a cloud solution, it is important for the customer to understand and distinguish between the security of the cloud, and the CUSTOMER’S security in the cloud.

Security of the cloud encompasses the security measures that AWS implements and operates. AWS is responsible for security of the cloud.

Security in the cloud encompasses the security measures that the CUSTOMER implement and operate, related to the AWS services they use.

THE CUSTOMER is responsible for their security in the cloud. For more information, see the AWS Shared Responsibility webpage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What steps does AWS take to protect customer privacy?

A

At AWS, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical and organizational measures to protect its confidentiality, integrity, and availability regardless of which AWS Region a customer has selected.

AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It extends ISO information security standard 27001 to cover the regulatory requirements for the protection of personally identifiable information (PII) or personal data for the public cloud computing environment and specifies implementation guidance based on ISO 27002 controls that is applicable to PII processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage.

Additionally, AWS publishes a SOC 2 Type I Privacy report, based on the SOC 2 Privacy Trust Principle, developed by the American Institute of CPAs (AICPA), which establishes criteria for evaluating controls related to how personal data is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. The AWS SOC 2 Privacy Type I report provides third-party attestation of our systems and the suitability of the design of our privacy controls, as stated in our Privacy Notice. The scope of the privacy report includes information about how we handle the content that you upload to AWS and how it is protected in all of the services and locations that are in scope for the latest AWS SOC reports. The SOC 2 Type I Privacy report can be downloaded through AWS Artifact in the AWS Management Console.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who should the customer contact regarding AWS and data protection?

A

We recommend that customers with questions regarding AWS and data protection contact their AWS account manager. If customers have signed up for Enterprise Support, they can also reach out to their Technical Account Manager (TAM) for support. AWS account managers and TAMs work with Solutions Architects to help customers meet their compliance needs. AWS can’t provide legal advice to customers, and we recommend that customers consult their legal counsel if they have legal questions regarding data protection.

We also have teams of Enterprise Support Representatives, Professional Services Consultants, and other staff to help with privacy questions. You can contact us with questions here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Our commitments include:

A

Access: As a customer, you maintain full control of your content that you upload to the AWS services under your AWS account, and responsibility for configuring access to AWS services and resources. We provide an advanced set of access, encryption, and logging features to help you do this effectively (e.g., AWS Identity and Access Management, AWS Organizations and AWS CloudTrail). We provide APIs for you to configure access control permissions for any of the services you develop or deploy in an AWS environment. We do not access or use your content for any purpose without your agreement. We never use your content or derive information from it for marketing or advertising purposes.

Storage: You choose the AWS Region(s) in which your content is stored. You can replicate and back up your content in more than one AWS Region. We will not move or replicate your content outside of your chosen AWS Region(s) without your agreement, except as necessary to comply with the law or a binding order of a governmental body.

Security: You choose how your content is secured. We offer you industry-leading encryption features to protect your content in transit and at rest, and we provide you with the option to manage your own encryption keys. These data protection features include:
Data encryption capabilities available in over 100 AWS services.
Flexible key management options using AWS Key

Management Service (KMS), allowing customers to choose whether to have AWS manage their encryption keys or enabling customers to keep complete control over their keys.

Disclosure of customer content: We will not disclose customer content unless we’re required to do so to comply with the law or a binding order of a government body. If a governmental body sends AWS a demand for customer content, we will attempt to redirect the governmental body to request that data directly from the customer. If compelled to disclose customer content to a government body, we will give customers reasonable notice of the demand to allow the customer to seek a protective order or other appropriate remedy unless AWS is legally prohibited from doing so.

Security Assurance: We have developed a security assurance program that uses best practices for global privacy and data protection to help you operate securely within AWS, and to make the best use of our security control environment. These security protections and control processes are independently validated by multiple third-party independent assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

These reports and certifications are produced by independent third-party auditors, and attest to the design and operating effectiveness of AWS security controls.

A

AWS ISO 27001,
AWS ISO 27017,
AWS ISO 27018

17
Q

Which certification demonstrates that AWS has a system of controls in place that specifically address the privacy protection of customer content?

A

AWS ISO 27018

18
Q

Where can AWS compliance certifications and reports be requested?

A

AWS Artifact

19
Q

Where can more information on AWS compliance certifications, reports, and alignment with best practices and standards be found?

A

on the AWS Compliance site.

20
Q

Who determines what content is stored or processed using AWS services?

A

Customers

21
Q

Why must the customer determine what level of security is appropriate for the content they store and process using AWS?

A

Because it is the customer who decides what content to store or process using AWS services.

22
Q

Customers have complete control over:

A

1) which services they use
2) whom they empower to access their content and services and
3) what credentials are required.