What is ITAR?
International Traffic in Arms Regulations (ITAR) controls the export from the US of defense-related articles, and the regulations state that no non-US person can have physical or logical access to the articles stored in the ITAR environment.
Articles that are covered by the ITAR United States Munitions List (USML) include equipment, components, materials, software, and technical information that can only be shared with US Persons unless under special authorization or exemption. US Persons are individuals who are US Green Card (Permanent Resident Card) holders or US citizens.
Maintaining U.S. International Traffic in Arms Regulations (ITAR) Compliance
If you store and process ITAR-regulated data in the AWS GovCloud (US) Regions, you must conform to the following ITAR requirements, in addition to any other ITAR or export control restrictions that may be applicable to you:
- You are an individual or entity that qualifies as a U.S. Person under the applicable regulations.
- You have and will maintain a valid Directorate of Defense Trade Controls (DDTC) registration.
- You have full export privileges under U.S. export control laws and regulations and are not a denied or debarred party or otherwise subject to sanctions.
- If your export control privileges are revoked, suspended, or terminated, or you otherwise become subject to sanctions or are barred from maintaining export-controlled data, you will immediately remove ITAR and other export-controlled data from the AWS services.
- You must maintain an effective compliance program to ensure compliance with applicable U.S. export control laws and regulations, including ITAR, if applicable.
Note:
Even if you don’t process any ITAR-regulated data, the owner of the AWS GovCloud (US) account must be a U.S. person. AWS doesn’t require IAM users or users of applications that run in AWS GovCloud (US) to be U.S. persons. As part of the shared responsibility model, you are responsible for restricting access to your IAM users and to your application in accordance with regulations that apply to you.
How do ITAR requirements apply in the cloud?
ITAR compliance in the cloud focuses on ensuring that information considered technical data is not inadvertently distributed to foreign persons or foreign nations. In order for data to be subject to ITAR, an IT workload or type of data has to be deemed an export according to the US Munitions List (USML).
ITAR Boundary for AWS GovCloud (US) Services
If you maintain ITAR-regulated data in the AWS GovCloud (US) Regions, you must comply with the ITAR restrictions for each AWS services in the AWS GovCloud (US) Regions. For more information about the ITAR boundaries for each service, see the service-specific information in Services in AWS GovCloud (US) Regions.
How does AWS support customers who are subject to ITAR export regulations?
AWS provides customers with the option to store their data in AWS GovCloud (US), which is managed solely by US Persons in US locations. AWS GovCloud (US) is Amazon’s isolated cloud environment where accounts are only granted to US Persons working for US organizations.
Because AWS does not have any visibility into what customers are uploading onto our network, including whether or not that data is deemed subject to ITAR regulations, all customer data within AWS GovCloud (US) is treated as ITAR data.
How does AWS GovCloud (US) provide assurance to customers that it meets ITAR requirements?
There is no formal ITAR certification. AWS GovCloud (US) is continuously audited by an accredited Federal Risk Authorization Management Program (FedRAMP) independent third-party assessment organization (3PAO) and has been issued a FedRAMP Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) at the High Baseline. The Chief Information Officers (CIO) from the US Department of Defense, Department of Homeland Security, and General Services Administration represent the JAB.
How does the AWS Shared Responsibility apply when customers transmit, process, and store ITAR data in AWS?
AWS is responsible for the logical and physical compliance of the cloud infrastructure and core services we offer. Customers are responsible for their own on-premises IT infrastructure, applications, and systems. The AWS GovCloud FedRAMP Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) at the High Baseline attests to the controls in place within AWS GovCloud (US). AWS supports customers who are building ITAR-compliant systems in AWS. The following are some examples of AWS services that help customers manage their own security compliance obligations:
Safeguard Sensitive Data: Customers can protect sensitive unclassified data with server-side encryption in Amazon S3; store and manage security keys with AWS CloudHSM or use our one-click AWS Key Management Service (KMS).
Improve Cloud Visibility: Customers can audit access and use of sensitive data with Amazon CloudTrail, our API logging service, which is managed and operated by US Persons.
Strengthen Identity Management:Customers can limit access to sensitive data by individual, time, and location. To restrict which API calls users are able to make, you can use identity federation, easy key rotation, and other powerful access control testing tools that are available in AWS.
Interested in a Security Audit?
For those interested in a security audit of your AWS environment, please download the following questionnaire.