They have 100% hypervisor access. To give them zero knowledge, you need full homomorphic encryption which is impractical at this point (and likely for a while).

You may trust them not to abuse hypervisor access, but they still have network “meta” data - it could tell them how many transactions clear against credit processors (though not the actual amounts if encrypted), a good idea general distribution of page views With respect to time and user ip (though not the exact pages), times of day, demographics of users (Geo locations and ISPs, for example)

If you don’t trust them not to peek at what they can, don’t use them. He is perfectly right.

There are other cloud providers who aren’t competing with B&H and would be a better choice. But amazon is a direct competitor to B&H, even if they do have an IT barrier - they cross subsidize; any $ paid to Amazon helps it against B&H.

Even if homomorphic encryption was practical, you would need hardware to decrypt that would have to be either on the cloud oron premise.

If any decryption of your data occurs on AWS hardware (i.e. if your software in AWS has access to your unencrypted data), then wouldn't AWS also have access to it if they wanted? Even with encrypted volumes, etc, the decrypted data is present in memory, AWS controls the box with the memory in it.

Yep, this is how computers work. Not saying this to be snarky, just... it's surprising how many people don't know this. And when I say 'people' I mean 'Professional Software Engineers with Years of Experience in the Industry'

> There are ways that you can use AWS that Amazon would have no way to access any of your data even if they wanted to.

Is it worth the extra effort and moving already functional servers to do so?

> There are ways that you can use AWS that Amazon would have no way to access any of your data even if they wanted to.

Please explain, as I'd like to know how.