No, in short, all of them who want to act on data outside of your instructions, need an explicit consent.
There is a difference between data controller and data processor. AWS FAQ on GDPR [1] has actually a good paragraph on it, see "Is AWS a data processor or a data controller under the GDPR?".
In your example all cloud providers and SaaS businesses like Splunk store data on your behalf and you own and control it. For them it's just a blob of data and they are supposed to be agnostic of its business meaning. With more targeted SaaS business like Salesforce, it might be more nuanced, depends if they want to do any kind data mining / processing themselves, but if they want to, then yeah, they need an explicit consent.
A law like this forces SaaS companies to remove any ambiguity from their service agreements to make sure they are strictly designated as data processors when it comes to user data their customers supply them. This AWS GDPR addendum [2] exists for this reason. Otherwise, as a small business you rarely can negotiate a tailored agreement with a large SaaS company to make sure that the data you pump into it aren't going places.
Saas vendors typically can use customer data both to "provide" their services but also to "improve" their services. It's not entirely clear what is and isn't okay under "improve."
There is a difference between data controller and data processor. AWS FAQ on GDPR [1] has actually a good paragraph on it, see "Is AWS a data processor or a data controller under the GDPR?".
In your example all cloud providers and SaaS businesses like Splunk store data on your behalf and you own and control it. For them it's just a blob of data and they are supposed to be agnostic of its business meaning. With more targeted SaaS business like Salesforce, it might be more nuanced, depends if they want to do any kind data mining / processing themselves, but if they want to, then yeah, they need an explicit consent. A law like this forces SaaS companies to remove any ambiguity from their service agreements to make sure they are strictly designated as data processors when it comes to user data their customers supply them. This AWS GDPR addendum [2] exists for this reason. Otherwise, as a small business you rarely can negotiate a tailored agreement with a large SaaS company to make sure that the data you pump into it aren't going places.
[1] https://aws.amazon.com/compliance/gdpr-center/
[2] https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf