AWS is probably very stringent on user privacy on the services that they specifically enter into HIPAA BAAs covering or which are associated with other data-security-compliance-related agreements or certifications.
Amazon as a whole has quite a history of using business data of people they are selling services to for their own purposes, and I wouldn’t put it past them with any AWS services not covered by the compliance agreements/certifications.
You certainly can’t rule out a large company making dumb moves but I have gotten the impression that they’re very hesitant to do anything which would make companies stop trusting them with private data, and the controls they have like allowing you to control the encryption policy for Code Whisperer data support that. It’d have to be worth a lot to make customers question whether it’s safe to use S3 (which uses the same mechanism).
Part of releasing AWS products to customers involves getting cleared by AppSec plus other compliance teams. The products are supposed to be ready months in advance before the AppSec and other teams start working on them.
Amazon and AWS have completely separate privacy/security teams and different ways of approaching it. _Every_ AWS service treats user data like radioactive material. If you're an AWS service and you're found to have a way for AWS employees to get access to customer data, that's a fast track for you and your managers to get an invite to a meeting with the CEO to explain how it happened, how you're going to fix it, and what you're going to do to make sure it never happens again. That's not an exaggeration, they take it very seriously.
I've used GCP and AWS for about equal time and Google was the one with several worrisome overreaches into customer's accounts moments. Meanwhile AWS actually lets you view and adjust the role and policy given to customer support on your account.
Fully aware AWS and amazon are different, but my point still stands IMO. Not sure why some people have so much trust in massive corporations who utlimately are all about making money for shareholders. For some people it's like supporting a sports team. My trust in them is one of caution and low expectations.
I said that because I worked at AWS, because I have seen the internal processes in action, and because I am aware that AWS has far more to lose by looking at customer data than they can gain.
Understand that as well, but its not always enough of a deterrent for some companies. And things change. Caution is a good thing IMO, e.g. don't lock yourself in so you're always capable of moving your solutions.
Amazon as a whole has quite a history of using business data of people they are selling services to for their own purposes, and I wouldn’t put it past them with any AWS services not covered by the compliance agreements/certifications.