Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Amazon Simple Storage Service (S3) is the object storage service provided by Amazon Web Services. It stores files (images, videos, documents, backups) in buckets, served via HTTPS endpoints or as origin behind Amazon CloudFront. S3 itself does not set client side cookies, but it transmits visitor IP addresses to AWS, which in turn raises GDPR questions about region choice, data processing agreements and access by US authorities.
Amazon Simple Storage Service (S3) is the flagship object storage service of Amazon Web Services. It exposes buckets that can hold any number of files (images, videos, documents, archives, application data, machine learning datasets) and serves them through HTTPS endpoints, pre signed URLs, REST APIs or as origin behind Amazon CloudFront. S3 is one of the foundational components of the modern web: media libraries, application backups, static sites and CMS uploads frequently land in an S3 bucket somewhere. From a privacy perspective, S3 is interesting because it stores or relays personal data without setting client side cookies of its own.
S3 processes the objects you put into a bucket plus the metadata of every request: requester IP address, HTTP method, requested object key, response size, latency and any custom headers. When S3 server access logging or AWS CloudTrail are enabled, these access records are stored in another bucket and can include IP addresses considered personal data under the GDPR. S3 does not set cookies on the visitor''s browser. If the bucket is fronted by CloudFront, additional edge logs are kept by AWS for security and performance purposes.
S3 itself is a processor in the meaning of Article 28 GDPR when serving user content for a controller. The AWS Data Processing Addendum is the standard contract, supplemented by the EU SCCs in the AWS GDPR DPA and the EU US Data Privacy Framework certification of Amazon Web Services Inc. ePrivacy is generally not engaged because S3 does not write to or read from the user terminal beyond standard HTTP cache. The main concerns are the location of storage, the legal access regime of the chosen region, and the IP based logging produced by S3 and CloudFront.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No, not for the simple act of serving a file from S3 to a visitor. The storage itself rests on legitimate interest or contract performance. Consent only becomes relevant if the bucket is used to host tracking pixels, marketing assets coupled with analytics or scripts that themselves require consent. The Schrems II discussion applies more strongly when buckets are in a US region: in that case, the recipient of personal data is in the US even if no commercial use is made of it, and the privacy policy must reflect that.
AWS lets you pick the storage region for each bucket. When the region is in the EU and no replication or cross region access is enabled, the persistent storage stays in Europe. However, Amazon Web Services Inc. is a US controller and certain support and security activities can be performed from the US. Following the EDPB recommendations after Schrems II, AWS publishes a Transfer Impact Assessment for EU customers and provides the EU US Data Privacy Framework as a transfer mechanism. Encryption with customer managed keys (SSE C or KMS) gives an additional layer of protection.
Pick an EU region for buckets that hold personal data, sign the AWS DPA, enable server side encryption (KMS for stronger control), restrict bucket access through IAM and S3 Block Public Access, and shorten the retention of S3 server access logs. Document the role of Amazon Web Services EMEA SARL as the EU contracting entity. Mention Amazon S3 and AWS in the privacy policy with a clear note about the region and transfer mechanism. If you absolutely need a US bucket, conduct and document a Transfer Impact Assessment and consider client side encryption.
Websites using Amazon S3 must obtain user consent under GDPR regulations.
DPIA considerations
When S3 stores or serves personal data (user uploaded files, customer documents, profile pictures), a DPIA is recommended if the volume is large, the data sensitive or the bucket is configured in a non EU region. Document the storage region, encryption configuration, AWS DPA reliance and any logging that captures personal data such as IP addresses.
Sample consent text
We host certain assets and files on Amazon S3 (Amazon Web Services). Loading them transmits your IP address to AWS infrastructure, which may include servers located in or accessed from the United States. Do you accept?
Third-party domains contacted
s3.amazonaws.coms3.eu-central-1.amazonaws.coms3.eu-west-1.amazonaws.coms3.eu-west-3.amazonaws.coms3.eu-north-1.amazonaws.coms3.dualstack.amazonaws.com<bucket>.s3.amazonaws.comcloudfront.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies set by S3 itself | none | N/A | Amazon S3 is a pure HTTPS object store and does not set browser cookies. When fronted by CloudFront with signed cookies, CloudFront cookies (CloudFront-Policy, CloudFront-Signature, CloudFront-Key-Pair-Id) may be set; these are documented under the CloudFront service. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. S3 is a pure HTTPS object storage service and does not set client side cookies. When S3 is used as origin behind Amazon CloudFront, CloudFront itself may set technical cookies if signed cookies are enabled, but plain S3 access does not.
No, not as such. Serving static assets from S3 is necessary to provide the website and rests on legitimate interest or contract performance. Consent enters the picture only when the assets you serve are tracking pixels, marketing content combined with measurement, or scripts that themselves require consent.
Legitimate interest (Art. 6(1)(f) GDPR) for delivering site assets, contract performance (Art. 6(1)(b)) when S3 stores user files that are part of the service, and legal obligation (Art. 6(1)(c)) for accounting backups. AWS acts as a processor under the AWS Data Processing Addendum.
Not by default if you pick an EU region and disable cross region replication. However, Amazon Web Services Inc. remains accessible from the US for support, security and government requests. The EU US Data Privacy Framework and AWS SCCs cover residual transfers. For buckets in US regions the transfer is direct and must be documented.
For typical asset serving, no. For large scale personal data storage (user generated content, customer documents, healthcare or financial data), conduct a DPIA covering data location, encryption, access controls and logging. Include AWS DPA, KMS configuration and bucket policies.
Pick an EU region, sign the AWS GDPR DPA, enable server side encryption with KMS, lock down buckets with Block Public Access, use IAM and bucket policies to restrict access, enable S3 Object Lock for retention compliance, and shorten the retention of Server Access Logs and CloudTrail trails to what is necessary.
EU based object storage services include OVHcloud Object Storage, Scaleway Object Storage, IONOS S3 Object Storage and Hetzner Storage Box. They offer S3 compatible APIs while keeping the data in EU jurisdictions. For sovereign cloud needs in France, look at OVH SecNumCloud or Outscale.
State that you use Amazon S3 from Amazon Web Services EMEA SARL (Luxembourg) as a processor, the region where buckets are stored, the categories of personal data involved (user files, IP logs), the retention period, and the transfer mechanism (Data Privacy Framework and SCCs in the AWS GDPR DPA).