Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Amazon Web Services is the worldwide leading cloud infrastructure platform, offering compute, storage, content delivery (CloudFront), databases, machine learning and hundreds of additional services. Many European websites rely on AWS through CloudFront for static assets, S3 for media storage, EC2 or Lambda for application hosting, and CloudWatch or QuickSight for analytics. Because AWS is operated by Amazon Web Services Inc., a US controlled company, every European deployment must address international data transfers and document a clear legal basis under the GDPR.
Amazon Web Services (AWS) is the worldwide leading cloud platform operated by Amazon Web Services Inc., a subsidiary of Amazon.com Inc. registered in Seattle, Washington. On a European website, AWS most often appears in three forms: Amazon CloudFront serving images, scripts and HTML from edge locations close to the visitor, Amazon S3 storing static assets and uploaded media, and Amazon EC2 or AWS Lambda running the backend application. Additional features such as Amazon Cognito (authentication), Amazon Pinpoint (push and email), AWS WAF (security filtering) and Amazon Rekognition (image analysis) may also process personal data.
Even when an EU region is selected, AWS remains under US jurisdiction. Support staff in the United States may access infrastructure to troubleshoot incidents, IAM and billing run through global endpoints, and some managed services replicate metadata across regions. This dual European and US footprint is the central GDPR question for any AWS deployment.
AWS itself does not deploy marketing cookies. The infrastructure layer sets a small number of technical cookies, mainly AWSALB and AWSALBCORS used by the Application Load Balancer to keep a session attached to the same backend, AWSELB used by the older Classic Load Balancer, and similar identifiers when sticky sessions are enabled. CloudFront does not set cookies by default but it processes the visitor IP address, the User-Agent header, the requested URL and TLS metadata. Logs may be retained in Amazon S3 buckets configured by the website operator.
When higher level services are layered on AWS, such as Amazon Pinpoint analytics, AWS Personalize or Amazon Connect, additional identifiers and profile data are processed. The website operator remains the data controller and is responsible for documenting every cookie or local storage entry triggered by AWS components.
Amazon Web Services Inc. acts as a processor when it hosts a European website, and the controller is the website operator. A signed AWS Data Processing Addendum (DPA) is required and is available in the AWS Artifact portal. The DPA incorporates the European Commission Standard Contractual Clauses and the UK addendum, lists sub-processors, and describes security controls aligned with ISO 27001, ISO 27018, SOC 2 and the EU Cloud Code of Conduct.
Under the ePrivacy Directive transposed into national law (TTDSG in Germany, LCEN in France, LSSI-CE in Spain), every non-strictly-necessary cookie or similar identifier set through an AWS component requires informed, freely given consent before being stored on the visitor device. Load balancing cookies are typically considered strictly necessary and are exempt, but cookies set by analytics, personalization or advertising features built on AWS are not.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Amazon Web Services Inc. is certified under the EU-US Data Privacy Framework, which the European Commission recognised in adequacy decision 2023/1795. This means transfers of personal data from the EU to AWS in the US benefit from an adequacy basis, complemented by Standard Contractual Clauses for any country outside the framework. Following the Schrems II ruling, supplementary measures such as customer managed encryption keys (AWS KMS with imported keys), strict IAM policies and detailed transfer impact assessments are strongly recommended.
Operators handling sensitive workloads can pin services to EU regions, enable AWS Nitro Enclaves, and contractually exclude US support access via the AWS European Sovereign Cloud roadmap announced for the Brandenburg region.
For pure infrastructure use (hosting, CDN cache, security filtering), Article 6(1)(f) legitimate interest is the standard legal basis, supported by a documented legitimate interest assessment. For any AWS feature that profiles users, runs analytics, or feeds advertising, prior opt-in consent gathered through a compliant Consent Management Platform is mandatory before triggering the AWS SDK or pixel calls.
Sign the AWS DPA, restrict workloads to EU regions whenever business requirements allow, enable encryption at rest and in transit with customer managed keys, limit IAM access to named roles, configure logging retention to the minimum necessary, list AWS and its relevant sub-processors in the privacy notice, document the transfer impact assessment, and integrate every AWS triggered cookie or pixel into the Consent Management Platform so it only loads after explicit opt-in when consent is required.
Websites using Amazon Web Services (AWS) must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is recommended when AWS hosts personal data at scale, when the workload involves special category data, or when CloudFront, AWS WAF and CloudWatch are combined with user identifiers. The DPIA must cover region selection, encryption at rest and in transit, IAM access controls, sub-processor list, retention rules and the response plan for US government access requests.
Sample consent text
We use Amazon Web Services to host and deliver this website, including content delivery through Amazon CloudFront. AWS may set technical cookies for load balancing and may process your IP address. Some traffic is routed through US infrastructure under the EU-US Data Privacy Framework and Standard Contractual Clauses. By clicking Accept, you allow this processing for the analytics and personalization features powered by AWS.
Third-party domains contacted
amazonaws.comcloudfront.netawsstatic.coms3.amazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| AWSALB | HTTP cookie | 7 days | Application Load Balancer sticky session: keeps a visitor on the same backend instance during a session. |
| AWSALBCORS | HTTP cookie | 7 days | Same as AWSALB but compatible with cross-origin requests using the SameSite=None attribute. |
| AWSELB | HTTP cookie | Session | Classic Load Balancer sticky session, legacy equivalent of AWSALB. |
| AWSELBCORS | HTTP cookie | Session | Classic Load Balancer sticky session in cross-origin context. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
AWS only sets a few technical cookies. The Application Load Balancer can place AWSALB and AWSALBCORS (7 days) to keep a visitor on the same backend, and the older Classic Load Balancer uses AWSELB and AWSELBCORS. CloudFront does not set any cookie by default, but when signed cookies are configured for restricted content it can store CloudFront-Key-Pair-Id and CloudFront-Policy. Higher level AWS services such as Pinpoint or Personalize set their own additional identifiers.
For pure infrastructure use, such as CloudFront caching static assets or an Application Load Balancer keeping a session, the load balancing cookies are typically strictly necessary and exempt from prior consent under the ePrivacy Directive. Consent is required as soon as AWS components serve analytics, advertising, personalization or profiling features.
Legitimate interest under Article 6(1)(f) GDPR is the most common basis for infrastructure hosting and security, supported by a documented legitimate interest assessment. Consent under Article 6(1)(a) is required for marketing and profiling. Contractual necessity under Article 6(1)(b) can apply when AWS hosts a service the visitor explicitly subscribed to.
Yes. Even when an EU region is selected, support staff, IAM and several global services may access data from the United States. Amazon Web Services Inc. is certified under the EU-US Data Privacy Framework recognised by the European Commission, and AWS provides Standard Contractual Clauses with its Data Processing Addendum. Supplementary measures such as customer managed encryption keys are strongly recommended after Schrems II.
A Data Protection Impact Assessment is recommended whenever AWS hosts personal data at scale, processes special category data, or combines security, content delivery and analytics components linked to user identifiers. The DPIA should document region choice, encryption, IAM controls, retention, sub-processors and the response to US government access requests.
Sign the AWS DPA in AWS Artifact, restrict workloads to EU regions when business needs allow, enable encryption at rest and in transit with customer managed keys, scope IAM policies to named roles, retain logs only as long as required, and integrate every AWS triggered cookie or pixel into the Consent Management Platform so it loads only after explicit opt-in when consent is needed.
For pure CDN needs, Bunny CDN, KeyCDN and Scaleway Edge are EU based options. For object storage, Scaleway, OVHcloud and Hetzner offer S3 compatible services in EU regions. For compute and serverless, OVHcloud, Scaleway, Hetzner and the upcoming AWS European Sovereign Cloud are viable. The right alternative depends on workload, certifications required and SLAs.
List AWS as a processor in the privacy notice, name CloudFront and any other AWS service in use, describe the technical cookies set (AWSALB, AWSALBCORS, AWSELB), mention the EU-US Data Privacy Framework and the use of Standard Contractual Clauses, link to the AWS DPA and provide a contact point for data subject requests.