I honestly don't get the distinction you're making here. I understand how people _can_ use AWS without ever letting sensitive data touch their disks, but most apps hand everything over wholesale (and frequently in a nicely structured format on RDS).
The legal distinction you're making doesn't sound right to me. Contractors for companies that access your data aren't usually about whether or not an attacker can get at it, but about what kind of access an employee of the service itself has.
Amazon _technically_ has complete access to your data when you run on AWS, but they're contractually limited in how they can use it. The same goes for third party SaaS services. The major difference is "who writes the logic".
But I'm not a lawyer and won't ever have to argue that somewhere it matters.
Amazon is selling an abstraction, and goes to great expense to not have access to customer data. If you are a HIPPA covered entity, they sign a BAA that puts them on the hook.
It's like the difference between putting your papers in a storage locker versus your friends garage. The storage company ultimately has access to the locker, but is less likely to snoop (either consciously or accidentally) than any of the folks with access to that garage.
AWS does not care about the data, does not want to see the data and goes out of its way to make it damn hard for it to see the data. The data is a black box to them and this is by design. You are not sending them the raw data in a format that they require for analyses. You are just sending them bits and bytes that they store for you.
The analyses third-parties in this case are the exact opposite. They explicitly require access to their data in a certain format for analysis. In fact, their business fails if they don't have access to this data.
They are both technically third parties but the way they handle the data is completely different.
One has every incentive to avoid reading the data, the other has every incentive to hoover everything it can.
I just don't think that's a meaningful distinction. There's no distinct line between "company that hosts all your data but doesn't analyze it" and "company that does data analytics on your data". It's a gradient, there are all kinds of companies that fit on that gradient, and it's weird to lambast people for using those companies as if it's a technical choice, when what we really want is people making good choices about the data protections their providers have in place.
AWS even has analytics products that require access to your data. I generally trust those more than sketchy analytics companies, but it's entirely because of the contractual protections AWS has in place, not because they're inherently different.
The legal distinction you're making doesn't sound right to me. Contractors for companies that access your data aren't usually about whether or not an attacker can get at it, but about what kind of access an employee of the service itself has.
Amazon _technically_ has complete access to your data when you run on AWS, but they're contractually limited in how they can use it. The same goes for third party SaaS services. The major difference is "who writes the logic".
But I'm not a lawyer and won't ever have to argue that somewhere it matters.