UC IT Sourcing Committee (ITSC)
Amazon Web Services (AWS) deployment guidance
Service description
AWS is a broad set of commercial computing, storage, database, analytics, application, and deployment services. AWS is used by the UC locations to host websites and web applications, provide backup and disaster recovery, support high bandwidth computing services, and more. These services are hosted in Amazon’s cloud through a pay-as-you-go pricing model.
Sensitive data guidance
There are multiple approaches to AWS account management. Depending on the location structure and usage, locations may choose to allow individuals to sign up with individual accounts or choose to have a master account and have individuals register with sub accounts.
-
AWS has a core set of secure services, but it is up to each user to implement appropriate security controls and to comply with applicable University policies, notably policies relating to the protection of University data and the UC Electronic Communications Policy.
- Third-party content that is available through AWS are generally governed by separate contract terms and conditions, including separate fees and charges. AWS may not have tested or screened third-party content.
| Green: | Permitted |
| Yellow: | Consult |
| Red: | Not permitted |
| Data Type | Data Use Guidance | Comments |
|---|---|---|
| Credit Card (PCI-DSS) | Not Permitted | Not acceptable for PCI-DSS data. |
| Export Control | Consult | Must use AWS GovCloud. Consult with data proprietor UC location office of research. |
| Electronic Protected Health Information (ePHI) subject to HIPAA | Consult | HIPAA Business Associate Agreement has been signed, consult with data proprietor and appropriate UC location (e.g. privacy official, information security, compliance officer). Only some AWS services are covered. You must follow “HIPAA on Amazon Web Services” instructions. |
| Human Subject Research | Consult | Consult with data proprietor and UC location office of research. |
| Intellectual Property | Consult | Consult with data proprietor and appropriate UC location authority (e.g. tech transfer, office of research, campus counsel). |
| IT Security Information (e.g. administrative passwords, network diagrams) |
Permitted | When appropriately configured. |
| Other Sensitive Institutional Info (e.g. Fundraising, Attorney/Client Privileges) |
Consult | Consult with data proprietor and appropriate UC location authority (e.g. privacy official, development office, campus counsel, information security officer). |
| Personally Identifiable Information (PII) Tied to state notification breach laws, Login credentials, SSN, Drivers license |
Consult | When appropriately configured; consult with appropriate UC location authority (e.g. privacy official, risk officer, campus counsel, information security officer). |
| Public Information | Permitted | |
| Research Data Animal General (non-Humanoid Subject Research) |
Permitted | Consult with data proprietor and UC location office of research. |
| Student Education Records (FERPA) | Permitted | Excluding student health records. Consult with data proprietor and UC location authority. |
UC location responsibilities
In order to cover your location’s AWS accounts under the terms of the UC AWS Enterprise Agreement (EA) and HIPAA Business Associate Agreement (BAA), each UC AWS account-holder must follow the steps below. Failure to do so will result in AWS accounts used for UC business that are not covered by the UC AWS EA and/or BAA. View the HIPAA on AWS instructions.
Amazon Web Services has prepared more detailed instructions on using AWS for HIPAA data covered by the BAA. Download the document at following link. AWS_UCOP_BAA_Overview.pdf
- Sensitive data should be encrypted when possible
- Protected Health Information (PHI):
- All uses involving PHI must follow the “HIPAA on Amazon Web Services” instructions.
- if you do not follow these procedures, the PHI will be not be covered by the AWS contract and Business Associate Agreement.
- All computing instances processing storage or transmitting PHI must be a dedicated instance.
- All PHI must be encrypted at all times, in transit and at rest.
- All uses involving PHI must follow the “HIPAA on Amazon Web Services” instructions.
- Data Location:
- AWS requires the user to select the geographic region within which data will be processed/stored.
- United States geographic regions are recommended, unless operational needs require another location.
- UC locations must provide user guidance in selecting a geographic region appropriate to the type of data being processed/stored to comply with jurisdiction, export law, and data availability policies.
- The UC location-established process must reference the UC agreement on the ordering instrument when creating an account. To identify your account as participating in the agreement, send an email to aws-uc-procurement@amazon.com to request that your account should be covered by the UC AWS Enterprise Agreement terms. Your email must include your AWS twelve-digit account number.
- Each UC-location is responsible for identifying pre-existing accounts that should be transitioned to be covered under the enterprise agreement.
- Each UC-location is responsible for extending location information security to AWS instances.
- AWS requires the user to select the geographic region within which data will be processed/stored.
Vendor responsibilities
These are the contractual responsibilities of the vendor in providing the service to the UC. The vendor must meet these responsibilities by contract or they may be subject to penalties.
- AWS will not disclose UC content except as necessary to provide services.
- Each AWS service has a Service Level Agreement that specifies AWS obligations. Individual Service Level Agreements are available.
- AWS will store UC data and services in the region selected by each UC location user.
- AWS will notify the UC of a data breach within 5 business days.
- Current uptime status can viewed at their Service Health Dashboard.
Procurement Services contacts
View a list of contacts for each campus.
Costs
- Costs are standard AWS rates.
- GovCloud rates are an additional cost. See more information about GovCloud at http://aws.amazon.com/govcloud-us/.
Link to contract
You can view a copy of the agreements in the Contracts Database. Please contact your local procurement department for login credentials.
UC location links and contacts for service
Visit the website or contact the individuals below for more information about this service at your location.
|
Location |
Contact |
Reference |
|---|---|---|
| UC Davis | ithelp@ucdavis.edu | http://itcatalog.ucdavis.edu/service/amazon-web-services-aws |
| UC Riverside | helpdesk@ucr.edu | |
| UC Merced | procurement@ucmerced.edu | |
| UC Berkeley | bcloud@berkeley.edu | https://technology.berkeley.edu/services/cloud |
| UC Santa Cruz | help@ucsc.edu | http://its.ucsc.edu/cloud-services/self-service.html |
| UC Santa Barbara | software@lsit.ucsb.edu | http://www.software.ucsb.edu/info/aws |
| UCLA | clientsupport@it.ucla.edu | https://softwarecentral.ucla.edu/amazon-aws |
| UC San Diego | ||
| UC Irvine | oit@uci.edu | http://www.oit.uci.edu/aws/ |
| UC San Francisco | ITS Help Desk: 415-514-4100 | |
| UC Office of the President | IT Service Hub: ServiceDesk@ucop.edu | https://ucop.service-now.com/ |
| Lawrence Berkeley National Labs | IT Help Desk: 510-486-4357 | http://help.lbl.gov |
| Agriculture and Natural Resources | anrhelp@ucanr.edu |
What is Amazon Web Services?
Amazon Web Services (AWS) is a broad set of commercial compute, storage, database, analytics, application, and deployment services. These services are hosted in Amazon’s cloud through a pay-as-you-go pricing model.