- March 7, 2018
- Posted by: Michael
- Category: AWS, Cloud
The General Data Protection Regulation, or GDPR is coming into effect on may 28th. This new regulation is designed to protect the rights of data subjects in the European Union. In this article I won’t go over the what or why of the GDPR, others are much more capable of that than I am. Instead I will take a look at GDPR compliance on AWS: how the cloud services offered by AWS can help you meet with the requirements of the GDPR.
On march 26 Amazon announced that all AWS services are now GDPR ready. But what does that actually mean and what does using AWS mean for your organization it comes to the General Data Protection Regulation? Well first of all there are two aspects that matter: the technical and the organizational aspect. Under the technical aspect are a number of purely technical measures you can take to ensure that you adhere to the GDPR as a data processor. An equally important aspect is the organizational side of being a data processor. It doesn’t help if you encrypt data but share the encryption keys freely to anyone in your organization.
Achieving GDPR compliance on AWS
First off, let me start by saying that there really is no hard yes or no to the question: Is my solution GDPR compliant. The answer to that depends on each specific application, project or solution. Certain applications that contain low level personal data are easily made compliant. One or two technical measures and a minor organizational process update can go a long way. But in other cases the amount of personal data processed and the complexity of the software stack can make this a multi year project.
Technical requirements of the GDPR
Under article 32 of the GDPR, an organization should take “…shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”. The article then goes on to list a number of technical measures the data processor should take to protect the personal data. The measures listed should sound familiar to users of AWS:
- encryption of personal data
- ensure integrity and availability
- restore availability and access to personal data in a timely manner
- testing and evaluating the effectiveness of the measures
When your infrastructure or applications makes use of Amazon Web Service you have a number of tools and services at your disposal to help you comply with this new regulation. Advanced features such as encryption of data at rest or deeply integrated auditing and logging across AWS services make it very feasible to design privacy first solutions.
Organizational requirements of the GDPR
Besides technical measures there are a number of organizational changes that you might have to make. Some examples of organizational changes are who has access to what data, or how you monitor changes in your environment.
One important advantage is that you inherit the work done by Amazon with regards to compliance. AWS makes sure they comply with standards such as ISO 27001 or PCI DSS. Thanks to the Shared Security Model you can take advantage of the work done by AWS. All information with about the various compliance programs can be found on the AWS Cloud Compliance page.
Find out more about GDPR compliance on Amazon Web Service in the AWS GDPR Center. Here you can find all information about GDPR compliance on AWS and important documents such as compliancy reports and the Data Processing Addendum.
4 easy to implement measures
1. Enable Encryption
It is very easy on AWS to enable encryption of your data. You can activate encryption for your S3 buckets, EBS volumes and RDS databases with a simple click. The list of AWS services that support encryption using KMS is very impressive. Unless you have very good reasons not to I would always recommend to encrypt privacy sensitive data at rest.
When it comes to data in transit, you don’t have any excuse (in my opinion) not to use the industry standard TLS. If you use AWS for your public endpoints (such as a webapplication running HTTPS) then you can use free TLS/SSL certificates from AWS Certificate Manager.
2. Use separate IAM users and roles
I hope it goes without saying that using your root account user is a big mistake. Always try and follow the principle of least privilege: only give users or roles the permissions they really need. From this also follows that you should have separate IAM users for each person in your team. Your applications no doubt use an AWS service such as S3. Then you also need to make sure that the role your application uses only has those permissions.
3. Enable Multi Factor Authentication
Activating Multi Factor Authentication – or MFA – is very easy on AWS. It is a real must to secure credentials and authentication these days.
4. Enable CloudTrail
CloudTrail is a very handy service that you can use to log all actions in your AWS account. When you activate CloudTrail all API calls will be logged by CloudTrail. This includes all actions performed via the AWS Management Console or the AWS CLI.
When you have all this data available you can easily perform audits of who did what in your environment.
How can I help you achieve GDPR compliance on AWS?
If you have an existing AWS application or solution chances are that you should make some changes to comply with the GDPR. My experience as a freelance AWS Solutions Architect ensure that I can quickly detect any weak spots your current architecture might have with regards to data security and privacy of personal data. Don’t hesitate to contact me and discuss any questions you might have.