AWS is probably very stringent on user privacy on the services that they specifically enter into HIPAA BAAs covering or which are associated with other data-security-compliance-related agreements or certifications.
Amazon as a whole has quite a history of using business data of people they are selling services to for their own purposes, and I wouldn’t put it past them with any AWS services not covered by the compliance agreements/certifications.
You certainly can’t rule out a large company making dumb moves but I have gotten the impression that they’re very hesitant to do anything which would make companies stop trusting them with private data, and the controls they have like allowing you to control the encryption policy for Code Whisperer data support that. It’d have to be worth a lot to make customers question whether it’s safe to use S3 (which uses the same mechanism).
Part of releasing AWS products to customers involves getting cleared by AppSec plus other compliance teams. The products are supposed to be ready months in advance before the AppSec and other teams start working on them.
Amazon and AWS have completely separate privacy/security teams and different ways of approaching it. _Every_ AWS service treats user data like radioactive material. If you're an AWS service and you're found to have a way for AWS employees to get access to customer data, that's a fast track for you and your managers to get an invite to a meeting with the CEO to explain how it happened, how you're going to fix it, and what you're going to do to make sure it never happens again. That's not an exaggeration, they take it very seriously.
