The GDPR defines two types of companies: processors and controllers. The crucial distinction is (roughly) if a company makes decisions. Someone performing targeting or operating a website is probably a controller, whereas AWS, who makes no decisions and just follows directions, is a processor.
If you don't want to be a processor, the best thing to do is probably in your contracts disallow usage of your service for anything containing GDPR covered personal data.
As for access logs, those will be some mixture of the two bases offered in the GDPR. Some will be required by legitimate interests (such as those collected for legal requirements) and some will be subject to consent. This is a complex discussion.
If you don't want to be a processor, the best thing to do is probably in your contracts disallow usage of your service for anything containing GDPR covered personal data.
As for access logs, those will be some mixture of the two bases offered in the GDPR. Some will be required by legitimate interests (such as those collected for legal requirements) and some will be subject to consent. This is a complex discussion.