Republic of Korea: Personal Information Protection Commission issued a report following security assessment of AWS, Azure, and NCP

On 11 June 2025, the Personal Information Protection Commission (PIPC) of the Republic of Korea announced the results of its security assessment concerning Amazon Web Services (AWS), Azure, and Naver Cloud Platform (NCP) cloud services. The assessment focused on virtual machines and databases to evaluate whether these services enable compliance with the Personal Information Protection Act (PIPA). The PIPC found that while all 3 platforms provide core security functions, users must manually configure features such as setting up sub-accounts for least-privilege access and configuring IP whitelisting for system access. The assessment also highlighted that all three platforms require paid subscriptions for important security features. Advanced threat detection, encryption key management, and malware prevention capabilities are primarily offered as add-on services. Furthermore, all three platforms failed to retain logs by default for the full one to three years mandated by PIPA. AWS and NCP both require extra steps for non-administrator accounts to configure multi-factor authentication. The PIPC recommended that providers offer clearer documentation explaining how to configure compliance-critical features and that they collaborate with the Korea Internet and Security Agency (KISA) to educate businesses.