Amazon Web Services (AWS) deployment guidance

Service description

AWS is a broad set of commercial computing, storage, database, analytics, application, and deployment services. AWS is used by the UC locations to host websites and web applications, provide backup and disaster recovery, support high bandwidth computing services, and more. These services are hosted in Amazon’s cloud through a pay-as-you-go pricing model.

Sensitive data guidance

There are multiple approaches to AWS account management. Depending on the location structure and usage, locations may choose to allow individuals to sign up with individual accounts or choose to have a master account and have individuals register with sub accounts.

  • AWS has a core set of secure services, but it is up to each user to implement appropriate security controls and to comply with applicable University policies, notably policies relating to the protection of University data and the UC Electronic Communications Policy.

  • Third-party content that is available through AWS are generally governed by separate contract terms and conditions, including separate fees and charges. AWS may not have tested or screened third-party content.
Green: Permitted
Yellow: Consult
Red: Not permitted
Data Type Data Use Guidance Comments
Credit Card (PCI-DSS) Not Permitted Not acceptable for PCI-DSS data.
Export Control Consult Must use AWS GovCloud. Consult with data proprietor UC location office of research.
Electronic Protected Health Information (ePHI) subject to HIPAA Consult HIPAA Business Associate Agreement has been signed, consult with data proprietor and appropriate UC location (e.g. privacy official, information security, compliance officer). Only some AWS services are covered. You must follow “HIPAA on Amazon Web Services” instructions.
Human Subject Research Consult Consult with data proprietor and UC location office of research.
Intellectual Property Consult Consult with data proprietor and appropriate UC location authority (e.g. tech transfer, office of research, campus counsel).
IT Security Information
(e.g. administrative passwords, network diagrams)
Permitted When appropriately configured.
Other Sensitive Institutional Info
(e.g. Fundraising, Attorney/Client Privileges)
Consult Consult with data proprietor and appropriate UC location authority (e.g. privacy official, development office, campus counsel, information security officer).
Personally Identifiable Information (PII)
Tied to state notification breach laws, Login credentials, SSN, Drivers license
Consult When appropriately configured; consult with appropriate UC location authority (e.g. privacy official, risk officer, campus counsel, information security officer).
Public Information Permitted
Research Data
Animal General (non-Humanoid Subject Research)
Permitted Consult with data proprietor and UC location office of research.
Student Education Records (FERPA) Permitted Excluding student health records. Consult with data proprietor and UC location authority.

UC location responsibilities

In order to cover your location’s AWS accounts under the terms of the UC AWS Enterprise Agreement (EA) and HIPAA Business Associate Agreement (BAA), each UC AWS account-holder must follow the steps below. Failure to do so will result in AWS accounts used for UC business that are not covered by the UC AWS EA and/or BAA. View the HIPAA on AWS instructions.

Amazon Web Services has prepared more detailed instructions on using AWS for HIPAA data covered by the BAA.  Download the document at following link. AWS_UCOP_BAA_Overview.pdf

  • Sensitive data should be encrypted when possible
  • Protected Health Information (PHI):
    • All uses involving PHI must follow the “HIPAA on Amazon Web Services” instructions.
      • if you do not follow these procedures, the PHI will be not be covered by the AWS contract and Business Associate Agreement.
    • All computing instances processing storage or transmitting PHI must be a dedicated instance.
    • All PHI must be encrypted at all times, in transit and at rest.
  • Data Location:
    • AWS requires the user to select the geographic region within which data will be processed/stored.
      • United States geographic regions are recommended, unless operational needs require another location.
    • UC locations must provide user guidance in selecting a geographic region appropriate to the type of data being processed/stored to comply with jurisdiction, export law, and data availability policies.
    • The UC location-established process must reference the UC agreement on the ordering instrument when creating an account. To identify your account as participating in the agreement, send an email to aws-uc-procurement@amazon.com to request that your account should be covered by the UC AWS Enterprise Agreement terms. Your email must include your AWS twelve-digit account number.
    • Each UC-location is responsible for identifying pre-existing accounts that should be transitioned to be covered under the enterprise agreement.
    • Each UC-location is responsible for extending location information security to AWS instances.

Vendor responsibilities

These are the contractual responsibilities of the vendor in providing the service to the UC. The vendor must meet these responsibilities by contract or they may be subject to penalties.

  • AWS will not disclose UC content except as necessary to provide services.
  • Each AWS service has a Service Level Agreement that specifies AWS obligations. Individual Service Level Agreements are available.
  • AWS will store UC data and services in the region selected by each UC location user.
  • AWS will notify the UC of a data breach within 5 business days.
  • Current uptime status can viewed at their Service Health Dashboard.

Procurement Services contacts

View a list of contacts for each campus.

Costs

Link to contract

You can view a copy of the agreements in the Contracts Database. Please contact your local procurement department for login credentials.

UC location links and contacts for service

Visit the website or contact the individuals below for more information about this service at your location.

Location

Contact

Reference

UC Davis ithelp@ucdavis.edu http://itcatalog.ucdavis.edu/service/amazon-web-services-aws
UC Riverside helpdesk@ucr.edu  
UC Merced procurement@ucmerced.edu  
UC Berkeley bcloud@berkeley.edu https://technology.berkeley.edu/services/cloud
UC Santa Cruz help@ucsc.edu http://its.ucsc.edu/cloud-services/self-service.html
UC Santa Barbara software@lsit.ucsb.edu http://www.software.ucsb.edu/info/aws
UCLA clientsupport@it.ucla.edu https://softwarecentral.ucla.edu/amazon-aws
UC San Diego

servicedesk@ucsd.edu

https://blink.ucsd.edu/technology/cloud/index.html

UC Irvine oit@uci.edu http://www.oit.uci.edu/aws/
UC San Francisco ITS Help Desk: 415-514-4100  
UC Office of the President IT Service Hub: ServiceDesk@ucop.edu https://ucop.service-now.com/
Lawrence Berkeley National Labs IT Help Desk: 510-486-4357 http://help.lbl.gov
Agriculture and Natural Resources anrhelp@ucanr.edu