U-M offers access to Amazon Web Services (AWS) under a University of Michigan enterprise agreement. AWS provides variety of cloud-based infrastructure services (storage, database, computing) that the U-M community may opt-in to consume under a U-M master account. The U-M enterprise agreement includes an amendment covering the use of AWS-GovCloud services.
Note: AWS-GovCloud does not manage physical and logical access controls beyond the AWS network. Customers have the shared responsibility to manage end-user access controls for their content in the AWS GovCloud (U.S.) Region.
The U-M offering of Amazon Web Services-GovCloud is an ISO 27001 certified, university contracted-for service that provides a secure environment within which to maintain or share the university's sensitive unregulated data.
AWS-GovCloud is physically located in the United States and is staffed by U.S. persons, which makes it compliant with Export Control regulations such as ITAR and EAR.
AWS has achieved FedRAMP compliance status and has received Federal Information Security Management Act (FISMA) Moderate Authorization and Accreditation for the following services:
- Amazon Elastic Compute Cloud (Amazon EC2). If your data is classified at the Restricted, High, or Moderate level, we recommend that you use a Center for Internet Security (CIS)-compliant image to build your instance. Select this in the console under third-party-provided images.
- Amazon Elastic Block Storage (Amazon EBS)
- Amazon Simple Storage Service (Amazon S3)
- Amazon Virtual Private Cloud (Amazon VPC)
While the U-M offering of AWS is secure, it does not comply with some regulatory requirements for specific types of sensitive regulated data. Among the types of information that may not be maintained, shared, or processed in the U-M offering of AWS-GovCloud are:
- Protected Health Information. This is because the university and Amazon Web Services have not come to agreement on the necessary Business Associate Agreement mandated by HIPAA.
- Controlled technical information regulated by DoD Directive 5230.24. This includes technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. For more information, contact the university Export Controls Officer.
Social Security numbers should only be used where required by law or where they are essential for university business processes. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)
Users should keep in mind that compliance is a shared responsibility, therefore you must also take any steps required by your role or unit to comply with relevant regulatory requirements.