I choose a VPN service specifically because I do not want to run my own VPN service.
Doing all the right things of making it fault-resilient and robust in the face of attack, etc… are all the sorts of things I don’t want to have to do for a home-built system. If I wanted to do that, I’d go start my own VPN company and sell that service to others.
And so you are suggesting someone trust Amazon instead? Ok....
Mullvad has, so far, managed to keep a rather clean reputation and have been leading the pack on the technical side for quite a while. They were the first major provider to support wireguard, they make it easy to pay them via all sorts of anonymous methods (including just sending cash in an envelope), and so far all info I have been able to discover shows that they are actually running and controlling their hardware in every location where the make that claim. Maybe there are better options, but among the major providers they seem to net out at the top of most lists created by people interested in privacy. As a supporting data point, the Firefox VPN is basically fronting Mullvad so if you think the Mozilla people did their due diligence homework you may consider that an additional point in Mullvad's favour.
> are you suggesting someone trust Amazon instead?
It depends on your threat model. But at some point you need to trust someone. I believe Amazon have more to lose by getting caught monitoring egress traffic than VPN operators who’ve been caught doing precisely that.
You are treating Amazon as an individual but VPN providers as a class. Cloud services have leaked data due to poor design and configuration, leaked secrets through low level hacks on shared hosting infrastructure, and routinely comply with warrants for the FiveEyes countries in which they are located. I would suggest OP not take my word for it or the word of any particular VPN provider, do some research and see what others have to say about Mullvad and privacy.
Amazon has nothing to lose by providing the RIAA with your instance netflow data and avoiding the legal costs alone would make it worth their while. Amazon has already built an interface to this data in CloudWatch Logs to show you that they are keeping the data, so why would you presume they would lose any reputation by providing this information to a third-party upon the presentation of a valid court order?
You can effectively choose to either have Amazon (or some other CSP) or your VPN provider as your ISP. Both are technically capable, and can therefore be compelled by court order, to provide network traffic logs. But given how many stories there have been here on HN about zero-log VPN providers caught keeping logs, and how simple it is to install WireGuard I don’t see the benefit in using a VPN provider.
Doing all the right things of making it fault-resilient and robust in the face of attack, etc… are all the sorts of things I don’t want to have to do for a home-built system. If I wanted to do that, I’d go start my own VPN company and sell that service to others.