Student Data Privacy
Amazon Updates Guidance on AWS and FERPA
- By Dian Schaffhauser
More than two years after issuing guidance on FERPA compliance and Amazon Web Services, Amazon has updated the whitepaper to lay out the company's "shared responsibility model" and give specific guidance on 24 different AWS services.
The Family Educational Rights and Privacy Act, in general, calls for schools and agencies to "reasonably safeguard student education records from improper use or disclosure," the report stated. However, Amazon asserted, that's a shared responsibility between AWS and the customer. While Amazon is responsible for security "of" the cloud, as it noted, the customer is responsible for security "in" the cloud.
In general, Amazon's purview covers operation, management and control of the components "from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates." The customer, on the other hand, must assume responsibility for patching the guest operating system and applications. Those duties will vary depending on the AWS cloud services being used.
The report runs through each of its many services and includes guidance related to protection of personally-identifiable information. For example, districts using Amazon's Simple Storage Service should "configure their S3 buckets for least privilege and ensure buckets and objects are not world accessible, unless by design." The PII recommendation also suggested that S3 logging and server-side encryption be enabled or the data itself encrypted before being stored.
The FERPA-related AWS guidance is available on AWS.
Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.