If you handle medical or health data, not all of Bedrock's AI features are approved for that use — you must check AWS's specific approved list before processing any health information through Bedrock.
This analysis describes what AWS Bedrock's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision creates a feature-level compliance boundary within a single service offering. Organizations subject to HIPAA must verify feature eligibility before using Bedrock to handle PHI, as non-eligible features lack BAA protections and therefore cannot lawfully process PHI under HIPAA requirements.
The updated terms establish new data-sharing mechanisms for users of Anthropic models on Amazon Bedrock. Specifically, AWS now explicitly authorizes notification to Anthropic of metadata present in requests sent to certain Anthropic products (e.g., Claude Code, computer use features), enabling Anthropic to conduct product-level usage attribution. Additionally, the terms introduce AWS WAF AI traffic monetization, which permits AWS to facilitate payment transactions between content publishers and buyers by sharing pricing, payment, and configuration information with payment providers and facilitators; the updated terms clarify that AWS does not provide regulated financial services and is not a party to fund flows, and that users' interactions with payment providers are governed by separate terms between the user and those parties. Users employing these features should review what metadata may be embedded in their requests and understand their own obligations to payment providers.
View change record →The updated terms establish that customers operating Amazon RDS databases on end-of-life software versions are now required to upgrade to supported versions. The agreement authorizes AWS to scan extension code used with Trusted Language Extensions for security and performance purposes, and establishes that extension code constitutes customer content. AWS disclaims responsibility for service failures caused by extensions or end-of-life database software. If a customer does not upgrade before an engine reaches end of life, AWS may snapshot the customer's data and delete the instance or cluster running the unsupported software, after providing prior notice of the engine end-of-life date.
View change record →The updated terms establish new operational requirements for any organization using Amazon Connect Talent to make or inform employment decisions. Customers must now obtain legally adequate privacy notices and consents from job applicants before their data is processed by the service. The terms require customers to review all AI output before making hiring decisions, implement processes for applicants to request information about the AI's role in decisions, and ensure their use of the tool complies with applicable labor, anti-discrimination, disability, data privacy, AI, wiretap, recordkeeping, and biometrics laws. Customers can configure an AI services opt-out policy through AWS Organizations to prevent their data from being used to train or improve AWS AI technologies.
View change record →Healthcare businesses using unapproved Bedrock features to process patient health data face HIPAA enforcement exposure, which can result in significant financial penalties and reputational harm — with the risk borne entirely by the customer, not AWS.
How other platforms handle this
You agree not to engage in any of the following prohibited activities: (i) copying, distributing, or disclosing any part of the Service in any medium, including without limitation by any automated or non-automated 'scraping'; (ii) using any automated system, including without limitation 'robots,' 's...
When you use Microsoft services, you must comply with Microsoft's Code of Conduct. Prohibited conduct includes using the services to do anything illegal, transmitting content that is harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, or otherwise objectionable. Microsof...
You are solely responsible for the content that you post, upload, or otherwise make available through the Services. Udemy may, in its sole discretion, remove or disable access to any content that violates these Terms or that Udemy determines, in its sole discretion, is otherwise objectionable.
Monitoring
AWS Bedrock has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Not all Amazon Bedrock features are covered under the AWS Business Associate Addendum. You should review the AWS HIPAA eligible services list to determine which Amazon Bedrock features may be used to process Protected Health Information.— Excerpt from AWS Bedrock's AWS Service Terms
REGULATORY FRAMEWORK: This provision directly implicates HIPAA 45 CFR Parts 160 and 164 (Privacy and Security Rules), the HITECH Act (42 U.S.C. §17931), and OCR enforcement authority under HHS. A Business Associate Agreement is required under 45 CFR §164.308(b)(1) for any service processing PHI; where a Bedrock feature is not HIPAA-eligible, no valid BAA coverage exists and processing PHI through that feature constitutes a HIPAA violation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision creates a feature-level compliance boundary within a single service offering. Organizations subject to HIPAA must verify feature eligibility before using Bedrock to handle PHI, as non-eligible features lack BAA protections and therefore cannot lawfully process PHI under HIPAA requirements.
Healthcare businesses using unapproved Bedrock features to process patient health data face HIPAA enforcement exposure, which can result in significant financial penalties and reputational harm — with the risk borne entirely by the customer, not AWS.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS Bedrock.