M Cloud - Amazon Web Services (AWS)

Description of Service: 

M Cloud is a U-M offering of public cloud services to the U-M community. M Cloud currently includes the offering of Amazon Web Services (AWS) under a University of Michigan enterprise agreement. AWS provides a variety of cloud-based infrastructure services (storage, database, compute) that the U-M community may choose to consume under a U-M master account.

Description of Compliance: 

The M Cloud offering of Amazon Web Services (AWS) is an ISO 27001-certified, university contracted-for service. It provides a secure environment within which to maintain or share the university's sensitive unregulated data. 

In addition, the M Cloud offering of AWS provides an environment that is compliant with regulations for some types of sensitive regulated data. AWS has achieved FedRAMP compliance status. It has also received Federal Information Security Management Act (FISMA) Moderate Authorization and Accreditation for the following services (which are part of the M Cloud offering of AWS), as long as the region where the data is housed is in the United States (you can request specific regions when you set up your account in Amazon Web Services):

  • Amazon Elastic Compute Cloud (Amazon EC2)
  • Amazon Elastic Block Storage (Amazon EBS)
  • Amazon Simple Storage Service (Amazon S3)
  • Amazon Virtual Private Cloud (Amazon VPC)

While the M Cloud offering of AWS is secure, it does not comply with some regulatory requirements for specific types of sensitive regulated data. Among the types of information that may not be maintained, shared, or processed in the M Cloud offering of AWS are:

  • Protected Health Information. This is because the university and AWS have not come to agreement on the necessary Business Associate Agreement mandated by HIPAA.
  • Export Controlled Research. This is because AWS cannot ensure that only U.S. persons have access to or maintain its systems. Note: Amazon GovCloud services may be used for Export Control regulated information.

Social Security numbers should only be used where required by law or where they are essential for university business processes. IIA can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IIA via the ITS Service Center.)

Keep in mind that compliance is a shared responsibility.You must also take any steps required by your role or unit to comply with relevant regulatory requirements.

Don't see the service you need? Contact the ITS Service Center.