The agreement assigns full responsibility for all account activity to the customer, including unauthorized activity by third parties such as contractors, agents, or end users, and states that AWS bears no responsibility for unauthorized account access. This responsibility is not conditioned on the customer's knowledge of or consent to the activity.
This analysis describes what AWS's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that customers bear contractual liability for all activity under their AWS accounts, including activity resulting from account compromise, credential theft, or unauthorized third-party access, without AWS bearing responsibility for unauthorized access events. This places the operational and financial risk of account security incidents squarely on the customer.
Added explicit reference to 'our affiliates' in the liability disclaimer, expanding AWS's liability shield.
View full change record →Under this clause, customers are contractually responsible for AWS resource consumption and any policy violations that occur under their account credentials, even when those activities result from unauthorized third-party access or account compromise. The agreement states that AWS and its affiliates bear no responsibility for unauthorized access to customer accounts.
How other platforms handle this
This policy applies to you and anyone using the Services on your behalf, including your end users. You are responsible for ensuring that your use of the Services, and the use of the Services by others on your behalf, complies with this Policy.
You are solely responsible for ensuring the accuracy and completeness of all information you provide to Gusto in connection with the Services, including employee information, compensation data, and any other data necessary for Gusto to perform payroll processing and tax filing services on your behal...
You are solely responsible for your use of the Service and for all Inputs you make available to Pika, whether by uploading them through the Service or otherwise making them accessible to others. You are also solely responsible for any Outputs generated via the Service. You assume all risk associated...
Monitoring
AWS has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You are responsible for all activities that occur under your account, regardless of whether the activities are authorized by you or undertaken by you, your employees or a third party (including your contractors, agents or End Users). We and our affiliates are not responsible for unauthorized access to your account.— Excerpt from AWS's AWS Customer Agreement
(1) REGULATORY LANDSCAPE: The broad account responsibility clause interacts with GDPR obligations for data controllers who experience account compromises that result in unauthorized access to personal data processed on AWS; the customer retains data controller obligations and breach notification responsibilities irrespective of the account compromise mechanism. HIPAA-covered entities similarly retain responsibility for breaches of electronic protected health information even where the access vector is through an AWS account. The FTC's guidance on data security and the Safeguards Rule may impose independent obligations on certain categories of customers. (2) GOVERNANCE EXPOSURE: Medium to High depending on customer security posture. The clause removes any shared responsibility for unauthorized access from AWS's contractual obligations, while AWS's Shared Responsibility Model documentation (published separately) describes AWS's security responsibilities for the cloud infrastructure itself. Organizations with large numbers of IAM users, API keys, or third-party integrations face elevated exposure under this clause. (3) JURISDICTION FLAGS: EU/EEA customers should note that GDPR Article 82 assigns liability to controllers and processors based on fault, and the contractual allocation between AWS and customers does not alter data subjects' rights to seek compensation from either party. The customer account responsibility clause does not affect regulatory liability for data protection violations; it only governs the contractual relationship between AWS and the customer. (4) CONTRACT AND VENDOR IMPLICATIONS: Security and vendor management teams should ensure that IAM policies, access control mechanisms, MFA enforcement, and credential management practices are documented and enforced to the standard required by this contractual allocation of risk. Third-party contractors and agents with AWS console or API access should be subject to formal access agreements that address the customer's exposure under this clause. (5) COMPLIANCE CONSIDERATIONS: Incident response plans should account for the contractual responsibility for unauthorized access and include procedures for notifying AWS, assessing charges incurred during a compromise, and disputing fraudulent charges within the 60-day window established elsewhere in the agreement. Organizations should assess whether cyber insurance policies cover unauthorized cloud resource consumption resulting from account compromise.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that customers bear contractual liability for all activity under their AWS accounts, including activity resulting from account compromise, credential theft, or unauthorized third-party access, without AWS bearing responsibility for unauthorized access events. This places the operational and financial risk of account security incidents squarely on the customer.
Under this clause, customers are contractually responsible for AWS resource consumption and any policy violations that occur under their account credentials, even when those activities result from unauthorized third-party access or account compromise. The agreement states that AWS and its affiliates bear no responsibility for unauthorized access to customer accounts.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS.