Amazon Web Services (AWS) at U-M
You are responsible for ensuring that your use of this service complies with laws, policies, and regulations where applicable. See Compliance below for details.
Permitted
Permitted with IA Consultation
Not Permitted
Service Description
U-M offers access to Amazon Web Services (AWS) under a University of Michigan enterprise agreement. AWS provides a variety of cloud-based infrastructure services (storage, database, compute) that the U-M community may choose to consume under a U-M master account.
Compliance
The U-M offering of Amazon Web Services (AWS) is an ISO 27001-certified, university contracted-for service. It provides a secure environment within which to maintain or share the university’s sensitive unregulated data.
In addition, the U-M offering of AWS provides an environment that is compliant with regulations for some types of sensitive regulated data. AWS has achieved FedRAMP compliance status. It has also received Federal Information Security Management Act (FISMA) Moderate Authorization and Accreditation for the following services (which are part of the U-M offering of AWS), as long as the region where the data is housed is in the United States (you can request specific regions when you set up your account in Amazon Web Services):
- Amazon Elastic Compute Cloud (Amazon EC2). If your data is classified at the High or Moderate level, we recommend that you use a Center for Internet Security (CIS)-compliant image to build your instance. Select this in the console under third-party-provided images.
- Amazon Elastic Block Storage (Amazon EBS)
- Amazon Simple Storage Service (Amazon S3)
- Amazon Virtual Private Cloud (Amazon VPC)
Social Security numbers should only be used where required by law or where they are essential for university business processes. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)
Keep in mind that compliance is a shared responsibility. You must also take any steps required by your role or unit to comply with relevant regulatory requirements.
Source:
https://safecomputing.umich.edu/dataguide/?q=node/195