Amazon Updates Guidance on AWS and FERPA

More than two years after issuing guidance on FERPA compliance and Amazon Web Services, Amazon has updated the whitepaper to lay out the company's "shared responsibility model" and give specific guidance on 24 different AWS services.

The Family Educational Rights and Privacy Act, in general, calls for schools and agencies to "reasonably safeguard student education records from improper use or disclosure," the report stated. However, Amazon asserted, that's a shared responsibility between AWS and the customer. While Amazon is responsible for security "of" the cloud, as it noted, the customer is responsible for security "in" the cloud.

In general, Amazon's purview covers operation, management and control of the components "from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates." The customer, on the other hand, must assume responsibility for patching the guest operating system and applications. Those duties will vary depending on the AWS cloud services being used.

The report runs through each of its many services and includes guidance related to protection of personally-identifiable information. For example, districts using Amazon's Simple Storage Service should "configure their S3 buckets for least privilege and ensure buckets and objects are not world accessible, unless by design." The PII recommendation also suggested that S3 logging and server-side encryption be enabled or the data itself encrypted before being stored.

The FERPA-related AWS guidance is available on AWS.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • minimalist geometric grid pattern of blue, gray, and white squares and rectangles

    Windows Server 2025 Now Generally Available

    Microsoft has announced the general availability of Windows Server 2025. The release will enable organizations to deploy applications on-premises, in hybrid setups, or fully in the cloud, the company said.

  • cloud icon connected to a data network with an alert symbol (a triangle with an exclamation mark) overlaying the cloud

    U.S. Department of Commerce Proposes Reporting Requirements for AI, Cloud Providers

    The United States Department of Commerce is proposing a new reporting requirement for AI developers and cloud providers. This proposed rule from the department's Bureau of Industry and Security (BIS) aims to enhance national security by establishing reporting requirements for the development of advanced AI models and computing clusters.

  • A top-down view of a person walking through a maze with walls made of glowing blue Wi-Fi symbols on dark pathways

    Navigating New E-Rate Rules for WiFi Hotspots

    Beginning in funding year 2025, WiFi hotspots will be eligible for E-rate Category One discounts. Here's what you need to know about your school's eligibility, funding caps, tracking requirements, and more.

  • stylized illustration of diverse students holding laptops, smartphones, and sitting at computers

    Student Device Access Skews Along Income, Racial Lines

    A recent study on the "digital divide" among high school students shows improving device access, but persistent barriers for historically underprivileged populations.