Data Privacy

Amazon Releases New Guidance on AWS and FERPA

• By Dian Schaffhauser
• 03/01/18

More than two years after issuing guidance on FERPA compliance and Amazon Web Services, Amazon has updated the whitepaper to lay out the company's "shared responsibility model" and provide specific guidance on 24 different AWS services.

The Family Educational Rights and Privacy Act, in general, calls for schools and agencies to "reasonably safeguard student education records from improper use or disclosure," the report stated. However, Amazon asserted, that's a shared responsibility between AWS and the customer. While Amazon is responsible for security "of" the cloud, as it noted, the customer is responsible for security "in" the cloud.

In general, Amazon's purview covers operation, management and control of the components "from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates." The customer, on the other hand, must assume responsibility for patching the guest operating system and applications. Those duties will vary depending on the AWS cloud services being used.

The report runs through each of its many services and includes guidance related to protection of personally-identifiable information. For example, institutions using Amazon's Simple Storage Service should "configure their S3 buckets for least privilege and ensure buckets and objects are not world accessible, unless by design." The PII recommendation also suggested that S3 logging and server-side encryption be enabled or the data itself encrypted before being stored.

The FERPA-related AWS guidance is available on the AWS site.