U-M offers access to Amazon Web Services (AWS) under a University of Michigan enterprise agreement. AWS provides a variety of cloud-based infrastructure services (storage, database, compute) that the U-M community may choose to consume under a U-M master account.
The U-M offering of Amazon Web Services (AWS) is an ISO 27001-certified, university contracted-for service. It provides a secure environment within which to maintain or share the university's sensitive unregulated data.
In addition, the U-M offering of AWS provides an environment that is compliant with regulations for some types of sensitive regulated data. AWS has achieved FedRAMP compliance status. It has also received Federal Information Security Management Act (FISMA) Moderate Authorization and Accreditation for the following services (which are part of the U-M offering of AWS), as long as the region where the data is housed is in the United States (you can request specific regions when you set up your account in Amazon Web Services):
- Amazon Elastic Compute Cloud (Amazon EC2). If your data is classified at the High or Moderate level, we recommend that you use a Center for Internet Security (CIS)-compliant image to build your instance. Select this in the console under third-party-provided images.
- Amazon Elastic Block Storage (Amazon EBS)
- Amazon Simple Storage Service (Amazon S3)
- Amazon Virtual Private Cloud (Amazon VPC)
While the U-M offering of AWS is secure, it does not comply with some regulatory requirements for specific types of sensitive regulated data. Among the types of information that may not be maintained, shared, or processed in the U-M offering of AWS are:
- Protected Health Information. This is because the university and AWS have not come to agreement on the necessary Business Associate Agreement mandated by HIPAA.
- Export Controlled Research. This is because AWS cannot ensure that only U.S. persons have access to or maintain its systems. Note: Amazon GovCloud services may be used for Export Control regulated information.
Social Security numbers should only be used where required by law or where they are essential for university business processes. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)
Keep in mind that compliance is a shared responsibility. You must also take any steps required by your role or unit to comply with relevant regulatory requirements.