Using AWS Safely: Security Risk Assessments

Amazon Web Services (AWS) is a portfolio of more than 120 different services.

Enterprise Security Risk Assessment Team will continue to assess risk of AWS services based on usage and billing. As the team completes risk assessments for AWS services, the results of their assessments will be posted to the Amazon Web Services section of the Cloud Assessment Registry.

The Cloud Assessment Registry is an Ohio State database of previously assessed third-party applications. A new section has been added to the Cloud Assessment Registry for Amazon Web Services. The new section is labeled “Amazon Web Services – General Use Case Assessments”.

Ohio State AWS account owners are responsible to use the “Amazon Web Services – General Use Case Assessments” section of the Cloud Assessment Registry prior to implementing a use case in AWS. The summary of steps:

  • Identify your use case.
  • Map your use case to the specific AWS services needed to implement it. The Solutions Architect and Technical Account Managers assigned to Ohio State by AWS can assist with this review.
  • Check the AWS section of the Cloud Assessment Registry for the specific AWS services to be used.
  • If a specific AWS service is not listed on the Registry, a security risk assessment is required. Work with your local Security Coordinator before using the AWS service(s) to implement your use case.

Remember, Ohio State does not have a Business Associates Agreement (BAA) with Amazon/AWS. You may NOT STORE PHI/HIPAA in AWS.

If you have any questions or concerns, please send them to