General Data Protection Regulation (GDPR) Center


Overview

The European Union’s General Data Protection Regulation (GDPR) protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.

All AWS Services GDPR ready - Read More

In addition to our own compliance, AWS is committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their activities. New features are launched regularly, and AWS has 500+ features and services focused on security and compliance.

GDPR Enablement in Your AWS Environment

AWS provides specific features and services which customers can leverage as they seek to comply with the GDPR.

Encrypt Data on AWS:

  • Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
  • Centralized managed Key Management (by AWS Region)
  • IPsec tunnels into AWS with the VPN-Gateways
  • Dedicated HSM modules in the cloud with AWS CloudHSM

Get an overview about activities on your AWS resources:

  • Asset Management and Configuration with AWS Config
  • Auditing and security analytics with AWS CloudTrail
  • Detailed information about flows in the network through Amazon VPC-FlowLogs
  • Rule-based configuration checks and actions with AWS Config Rules
  • Filtering and monitoring of HTTP access to applications with AWS WAF functions in AWS CloudFront

Allow only authorized administrators, users and applications:

  • Multi-Factor-Authentication (MFA)
  • Fine granular access to objects in Amazon S3, Amazon SQS, and Amazon SNS
  • API-Request Authentication
  • Geo-Restrictions
  • Temporary access tokens through AWS Security Token Service

Customers control their customer content. With AWS, customers:

  • Determine where their customer content will be stored, including the type of storage and geographic region of that storage.
  • Choose the secured state of their customer content. We offer customers strong encryption for customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.
  • Manage access to their customer content and AWS services and resources through users, groups, permissions and credentials that customers control.

The SbD approach is meant to achieve the following:

  • Creation of forcing functions that cannot be overridden by the users who aren't allowed to modify those functions.
  • Establishing reliable operation of controls.
  • Enabling continuous and real-time auditing.
  • The technical scripting of your governance policy.

AWS alignment with ISO 27018 has been validated by an independent third-party assessor. ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that demonstrates AWS' commitment to the privacy and protection of customer content

Leverage AWS Services

Amazon Macie

Proactively protect Personally identifiable information (PII) and know when it moves.

LEARN MORE ABOUT AMAZON MACIE »

AWS Identity and Access Management (IAM)

Create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

LEARN MORE ABOUT AWS IAM »

AWS Config

Simplify compliance auditing, security analysis, change management, and operational troubleshooting.  

LEARN MORE ABOUT AWS CONFIG »

Amazon Inspector

Define standards and best practices for your applications and validate adherence to these standards.

LEARN MORE ABOUT AMAZON INSPECTOR »

Amazon GuardDuty

Intelligent threat detection and continious monitoring to protect your AWS  accounts and workloads.

LEARN MORE ABOUT AMAZON GUARDDUTY »

AWS Key Management Service (KMS)

Easily create and control the keys used to encrypt your data.

LEARN MORE ABOUT AWS KMS »

GDPR FAQ

  • What is the GDPR?

    The General Data Protection Regulation (GDPR) is a new European privacy law due to become enforceable on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

  • Who does the GDPR apply to?

    The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.

  • What happens to current EU data protection laws after the GDPR comes into effect?

    The GDPR will replace the existing Data Protection Directive (Europe Directive 95/46/EC). Beginning on May 25, 2018, the existing Data Protection Directive, and the laws relating to it, will no longer apply.

  • What has AWS been doing in preparation for the GDPR?

    AWS compliance, data protection, and security experts have been working with customers around the world to answer their questions and help them prepare for running workloads in the AWS Cloud after the GDPR becomes enforceable. These teams have also been reviewing everything that AWS already does to ensure it complies with the requirements of the new GDPR. We can confirm that all AWS Services are GDPR ready.

    In addition, we have a new Data Processing Agreement (GDPR DPA) that will meet the requirements of the GDPR. This GDPR DPA is available to all AWS customers to help them prepare for May 2018. For additional information on the GDPR DPA, or to obtain a copy, please contact your AWS Account Manager.

    Recently, AWS also announced compliance with the CISPE Code of Conduct. The CISPE Code of Conduct helps cloud customers assess how their cloud infrastructure provider complies with its data protection obligations under the GDPR. AWS has declared that Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon Elastic Block Storage (Amazon EBS) are fully compliant with the CISPE Code. This provides customers with additional assurances regarding their ability to fully control their data in a safe, secure, and compliant environment when they use AWS. More detail on AWS' compliance with the CISPE Code of Conduct can be found at the website: https://cispe.cloud/

    AWS continually maintains a high bar for security and compliance across all of our global operations. Security has always been our highest priority – truly "job zero." Our industry-leading security provides the foundation for our long list of internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and others. AWS also helps customers meet local security standards such as BSI's Common Cloud Computing Controls Catalogue (C5), which is important in Germany.

  • Does AWS comply with a Code of Conduct, as reflected in the requirements of the GDPR?

    AWS announced compliance with the CISPE Data Protection Code of Conduct. CISPE is a coalition of cloud infrastructure (also known as Infrastructure as a Service) providers who offer cloud services to customers in Europe. The CISPE Code of Conduct helps cloud customers ensure that their cloud infrastructure provider is using appropriate data protection standards to protect their data consistent with the GDPR. A few key benefits of the Code include:

    • Clarifying who is responsible for what when it comes to data protection: The Code of Conduct explains the role of both the provider and the customer under the GDPR, specifically within the context of cloud infrastructure services.
    • The Code of Conduct sets out what principles providers should adhere to: The Code of Conduct outlines the actions and commitments that providers should undertake to comply with the GDPR and help customers comply.
    • The Code of Conduct gives customers information, relating to data protection and data security, that they need to make decisions about compliance: The Code of Conduct requires providers to be transparent about the steps they are taking to deliver on their security commitments. These steps involve notifications relating to data breaches, data deletion, and third-party sub-processing, as well as law enforcement, and governmental requests. Customers can use this information to gain a full understanding of the high levels of security provided

    For consideration of how AWS treats law enforcement requests, please see: "Addressing Data Residency with AWS".

  • What changes will the GDPR introduce to organisations operating in the EU?

    One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organisational measures, as well as compliance policies.

  • What services does AWS offer customers to help them comply with the GDPR?

    AWS is already providing specific features and services which help customers to meet requirements of GDPR:


    Access Control: Allow only authorized administrators, users and applications access to AWS resources

    • Multi-Factor-Authentication (MFA)
    • Fine granular access to objects in Amazon S3-Buckets/ Amazon SQS/ Amazon SNS and others
    • API-Request Authentication
    • Geo-Restrictions
    • Temporary access tokens through AWS Security Token Service


    Monitoring and Logging: Get an overview about activities on your AWS resources

    • Asset Management and Configuration with AWS Config
    • Compliance Auditing and security analytics with AWS CloudTrail
    • Identification of configuration challenges through AWS Trusted Advisor
    • Fine granular logging of access to Amazon S3 objects
    • Detailed information about flows in the network through Amazon VPC-FlowLogs
    • Rule-based configuration checks and actions with AWS Config Rules
    • Filtering and monitoring of HTTP access to applications with WAF functions in AWS CloudFront
     

    Encryption: Encrypt Data on AWS
     
    • Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
    • Centralized managed Key Management (by AWS Region)
    • IPsec tunnels into AWS with the VPN-Gateways
    • Dedicated HSM modules in the cloud with AWS CloudHSM


    Strong Compliance Framework and Security Standards:

    • ISO 27001/9001 certified
    • ISO 27017/27018 certified
    • Cloud Computing Compliance Controls Catalog (C5 - German Government-backed attestation scheme)
    • AWS, alongside auditor TÜV TRUST IT, has published a Customer Certification Workbook that provides guidance on achieving German BSI IT Grundschutz compliance in the Cloud
  • What can customers do in preparation for the GDPR?

    For those that have already implemented a high bar for compliance, security, and data privacy, the move to GDPR should be simple. For those who are yet to start their journey to GDPR compliance, we urge you to start reviewing your security, compliance, and data protection processes now to ensure a smooth transition in May 2018. Here are some of the key points that you should consider for GDPR compliance:

    • Territorial Reach: Determining whether the GDPR applies to an organisation’s activities is essential to ensuring that organisation's ability to satisfy its compliance obligations. The GDPR applies to all organisations that are established in the EU. However, depending on your activities, the GDPR may also apply to you if you are established outside the EU.
    • Data Subject Rights: The GDPR enhances the rights of data subjects in a number of ways. For example, data subjects have the right to object to the processing of their data and they have the right to data portability. You will need to make sure you can accommodate the rights of data subjects if you are processing their personal data.
    • Data Breach Notifications: If you are a data controller, you will need to report data breaches to the data protection authorities without undue delay. Using AWS gives you control over how you want to process personal data and protect it. This gives you the ability to monitor your own environment for privacy breaches and to notify regulators and affected individuals as required under the GDPR. In addition, AWS will notify you without undue delay if we are aware of a breach of our security standards relating to the AWS network.
    • Data Protection Officer (DPO): You may need to appoint a DPO who will need to manage data security and other issues relating to the processing of personal data.
    • Data Protection Impact Assessment (DPIA): You may need to conduct, and in some circumstances you may be required to file with the supervisory authority, a DPIA for your processing activities. This will need to identify your data handling procedures and processes, as well as the controls in place to protect personal data.
    • Data Processing Agreement (DPA): You may need a DPA that will meet the requirements of the GDPR particularly if personal data is transferred outside the EEA. AWS offers customers a GDPR DPA that is available on request to help customers prepare for next May.

    AWS offers a wide range of services and specific service features which help customers to meet requirements of the GDPR, including services for access controls, monitoring, logging and encryption. More information on these can be found in the section above, "What services does AWS offer customers to help them comply with the GDPR?"

    We also have teams of compliance, data protection, and Security experts, as well as AWS Partner Network Partners, working with customers across Europe to answer their questions and help them prepare for running workloads in the cloud after the GDPR becomes enforceable. For additional information on this, please contact your AWS Account Manager.

  • Does AWS offer a Data Processing Addendum (DPA)?

    Yes. AWS offers a GDPR-compliant Data Processing Addendum (DPA), enabling you to comply with GDPR contractual obligations. For more information on how customers can enter into the AWS Data Processing Addendum, please visit here.

  • Are AWS Services GDPR compliant?

    AWS services comply with the General Data Protection Regulation (GDPR). This means that, in addition to benefiting from all of the measures that AWS already takes to maintain services security, customers can deploy AWS services as a key part of their GDPR compliance plans. For more details, see our GDPR services readiness announcement in the AWS Security Blog: https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/.

  • What is AWS’s role under the GDPR? Is AWS a data processor or a data controller?

    AWS acts as both a data processor and a data controller under the GDPR.

    • AWS as a data processor – When customers and AWS Partner Network (APN) Partners use AWS services to process personal data in their content, AWS acts as a data processor. Customers and APN Partners can use the controls available in AWS services, including security configuration controls, for the handling of personal data. Under these circumstances, the customer or APN Partner may act as a data controller or data processor itself, and AWS acts as a data processor or sub-processor. AWS offers a GDPR-compliant Data Processing Addendum (DPA) that incorporates AWS’s commitments as data processor.
    • AWS as a data controller – When AWS collects personal data and determines the purposes and means of processing that personal data – for example, when AWS stores account information for account registration, administration, services access, or contact information for the AWS account to provide assistance through customer support activities – it acts as a data controller.
  • How does the GDPR affect AWS’s shared responsibility model?

    The GDPR does not change the AWS shared responsibility model, which continues to be relevant for customers and APN Partners who are focused on using cloud computing services. The shared responsibility model is a useful approach to illustrate the different responsibilities of AWS (as a data processor or sub-processor) and customers or APN Partners (as either data controllers or data processors) under the GDPR.

    Under the shared responsibility model, AWS is responsible for securing the underlying infrastructure that supports the cloud, and customers and APN partners, acting either as data controllers or data processors, are responsible for any personal data they put on the cloud.

    AWS Responsibilities as a data processor

    AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers and APN Partners, including security configuration controls, for the handling of customer content. Protecting this infrastructure is AWS’s number one priority. AWS provides several compliance reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations (for more information, visit: https://aws.amazon.com/compliance). These reports show our customers and APN Partners, that we are protecting the personal data they choose to process on AWS. Good examples include AWS’s ISO 27001, 27017, and 27018 compliance. ISO 27018 contains security controls that focuses on protection of personal data. Details on AWS’s ISO 27108 compliance can be found here: https://aws.amazon.com/compliance/iso-27018-faqs/.

    AWS is also responsible for the security configuration of its technologies that are considered managed services. Examples of these include Amazon DynamoDB, Amazon RDS, Amazon Redshift, Amazon Elastic MapReduce, and several other services. These services provide the scalability and flexibility of cloud-based resources with the additional benefit of being managed. For these services, AWS handles basic security tasks like operating system (OS) security and database patching, firewall configuration, and disaster recovery. For managed services, customers and APN Partners configure the logical access controls for their resources and protect their account credentials. A few of them may require additional tasks, such as setting up database user accounts, but overall the security configuration work is performed by the service. In all these services customers and APN Partners are still responsible for any personal data they put on the cloud.

    AWS also offers a GDPR-compliant Data Processing Addendum (DPA) that incorporates AWS’s commitments as data processor. This DPA is available to all AWS customers and APN partners to help with their compliance needs. For additional information about the new GDPR DPA or to obtain a copy, contact your AWS account manager.

    Customer and APN Partner responsibilities as data controllers — and how AWS services can help:

    With the AWS cloud, customers and APN partners can provision virtual servers, storage, databases, and desktops in minutes instead of weeks. They can also use cloud-based analytics and workflow tools to process data as they need it, and then store it in their own data centers or in the cloud. The AWS services customers and APN partners use will determine how much configuration work they have to perform as part of their GDPR responsibilities. AWS products that fall into the category of Infrastructure as a Service (IaaS)—such as Amazon EC2, Amazon VPC, and Amazon S3—are completely under a customer’s or APN Partner’s control and require them to perform all of the necessary security configuration and management tasks. For example, for EC2 instances, they are responsible for management of the guest OS (including updates and security patches), any application software or utilities installed on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance—security tasks that need to be performed no matter where servers are located.

    To realize data protection by design and by default principles, we recommend customers and APN Partners protect their AWS account credentials and set up individual user accounts with Amazon Identity and Access Management (IAM) so that each user has his or her own credentials, enabling the ability to implement permissions based access to data and segregation of duties by user role. We also recommend using multi-factor authentication (MFA) with each account, requiring the use of SSL/TLS to communicate with AWS resources, setting up API/user activity logging with AWS CloudTrail, taking advantage of AWS encryption solutions, and other security controls within AWS services. Customers and APN Partners can also use advanced security services, such as Amazon GuardDuty, for account and infrastructure security, and Amazon Macie, to assist discovery and securing of personal data stored in Amazon S3, for GDPR compliance.

    For more information about additional measures customers can take, and solutions that AWS offers, please refer to the AWS Security Best Practices whitepaper and recommended reading on the AWS Security Resources webpage available at: https://aws.amazon.com/security/.

  • Whom should I contact if I have questions regarding GDPR and AWS?

    We recommend that customers and APN Partners with questions regarding data protection or AWS and GDPR contact their AWS account manager first. If customers have signed up for Enterprise Support, they can reach out to their Technical Account Manager (TAM) as well. TAMs work with Solutions Architects to help customers identify potential risks and potential mitigations. TAMs and account teams can also point customers and APN Partners with specific resources based on their environment and needs.

    AWS also has teams of Enterprise Support Representatives, Professional Services Consultants, and other staff to help with GDPR questions. To help further educate customers and APN Partners, AWS is also running a number of speaking engagements, webinars, and workshops at AWS Summits and AWS Pop-up Lofts to help them understand GDPR and implement solutions using AWS tools.

  • What technical guidance around GDPR does AWS offer to customers and APN Partners?

    AWS offers customers and APN Partners a number of resources to help them on their journey to GDPR compliance. AWS has teams of Enterprise Support Representatives, Professional Services Consultants, and other staff to help customers and APN Partners with GDPR questions. AWS is also running a number of speaking engagements, webinars, and workshops at AWS Summits and AWS Pop-up Lofts to help customers and APN Partners understand GDPR and implement data protection by design and by default, using AWS tools.

  • Will AWS offer Professional Services help on GDPR compliance?

    The AWS Professional Services team is running a number of activities to help customers and APN Partners on their journey to GDPR compliance. Professional Services Consultants are helping answer GDPR questions by delivering private consulting sessions as well as public speaking engagements, webinars, and workshops at AWS Summits and AWS Pop-up Lofts. The AWS Professional Services team is also working directly with customers and APN Partners to offer them technical guidance around GDPR and implement data protection by design and by default, using AWS tools. More details on how AWS Professional Services Consultants are helping customers and APN Partners can be found at: https://aws.amazon.com/professional-services/.

  • How can AWS Support help me in my journey to GDPR compliance?

    AWS Premium Support works with customers and APN Partners to provide technical guidance to help them on their road to GDPR compliance. As part of this activity we currently have teams of Cloud Support Engineers and Technical Account Managers that are trained to help identify and mitigate compliance risks. Two programs that customers and APN Partners may find useful as they pursue GDPR compliance are:

    • Cloud Operations Review – Available to AWS Enterprise Support customers, this program is designed to help identify gaps in their approach to operating in the cloud. Originating from a set of operational best practices distilled from AWS’s experience with a large set of representative customers, this program provides a review of cloud operations and the associated management practices, which can help organizations in their journey to GDPR compliance. The program uses a four-pillared approach with a focus on preparing, monitoring, operating, and optimizing cloud-based systems in pursuit of operational excellence.
    • Well-Architected Review – This program allows organizations to measure their architecture against AWS best practices and to construct architectures that are secure, reliable, high performing, and cost-effective. Well-Architected Reviews also allows customers and APN Partners to understand where they have risks in their architecture and address them before applications are put into production.

    Customers and APN Partners looking to understand how AWS Premium Support can help them can find more information in the AWS Support Center, available through the AWS console (https://console.aws.amazon.com/support/), by using the contact details specified in the Enterprise Support Agreement entered into with AWS, or by visiting the AWS Premium Support page at: https://aws.amazon.com/premiumsupport/. Customs with Enterprise Support should reach out to their TAM with GDPR related questions.

  • Does AWS have sub-processors?

    We proactively inform our customers and APN Partners of any subcontractors who have access to content uploaded onto AWS, including content that may contain personal data, here: https://aws.amazon.com/compliance/third-party-access/.

  • What tools does AWS give me to implement technical and organizational measures required for data protection by design and by default?

    Many of the GDPR requirements center on the control and protection of data. AWS services provide customers and APN Partners with the capability to implement their own security measures in compliance with GDPR, including specific tactical measures such as:

    • The encryption of personal data
    • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
    • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
    • A process for regularly testing, assessing, and evaluating the effectiveness of technical measures for ensuring the security of the processing

    AWS has an advanced set of security and compliance services that can be deployed to help handle the requirements of GDPR, including:

    • Amazon GuardDuty - a service featuring intelligent threat detection and continuous monitoring of malicious or unauthorized behavior
    • Amazon Macie - a machine learning tool to assist discovery and classification of personal data stored in Amazon S3
    • Amazon Inspector - an automated security assessment service to keep applications in conformity with best security practices
    • AWS Config Rules - a feature that enables you to dynamically check cloud resources for compliance with security rules

    AWS has also published a whitepaper, “Navigating GDPR Compliance on AWS,” dedicated to this topic. This paper considers and details how to specifically tie resources to concepts such as monitoring, data access, and key management. 

  • What security measures does AWS have in place to protect systems?

    The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Amazon’s scale allows significantly more investment in security policing and countermeasures than almost any large company could afford on its own. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers and APN Partners, including security configuration controls, for the handling of personal data. More details on the measures AWS puts in place to maintain consistently high levels of security can be found in the AWS "Overview of Security Processes Whitepaper".

    AWS also provides several compliance reports from third-party auditors who have tested and verified our compliance with a variety of computer security standards and regulations – including ISO 27001, ISO 27017, and ISO 27018. To provide transparency on the effectiveness of these measures, we give our customers and APN Partners access to the third party audit reports through the AWS Management Console. These reports show our customers and APN Partners, who may act as either data controllers or data processors, that we are protecting the underlying infrastructure upon which they store and process personal data. For more information, visit: https://aws.amazon.com/compliance

  • How can AWS help data controllers meet their obligations under the GDPR, regarding notifications of personal data breaches?

    AWS has a security incident monitoring and data breach notification process in place and will support and inform customers and APN Partners of any confirmed breach of AWS systems. AWS also gives customers and APN Partners a number of tools to understand who has access to their resources, when, and from where. One of these tools is AWS CloudTrail which enables governance, compliance, operational auditing, and risk auditing of an AWS account. With AWS CloudTrail, customers can log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure. This helps organizations understand what is happening with their AWS infrastructure and can take action on any unusual activity, immediately. For more information on AWS CloudTrail, and the other security tools AWS gives customers to help meet their obligations as data controllers under the GDPR, visit: https://aws.amazon.com/security/.  

  • How does AWS help me to protect my data against cyber-attacks?

    AWS gives customers and APN Partners a number of tools to secure their data and help protect against cyber-attacks. One such tool is AWS Shield. This is a managed Distributed Denial of Service (DDoS) protection service to safeguard websites and applications running on AWS. AWS Shield Standard is available at no additional charge and provides always-on detection and automatic inline mitigations that can minimize application downtime and latency. For higher levels of protection against attacks targeting web applications running on AWS and using ELB, Amazon CloudFront, and Amazon Route 53 resources, customers and APN Partners can subscribe to AWS Shield Advanced. AWS also publishes and routinely updates an 'AWS Best Practices for DDoS Resiliency' document that helps customers use AWS to build applications resilient to DDoS attacks.

    Other tools AWS has to help protect data against cyber-attacks include:

    • AWS Identity and Access Management (IAM) enables organizations to manage access to AWS services and resources securely. Using IAM, customers and APN Partners can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
    • AWS Config allows customers and APN Partners to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state.
    • AWS CloudTrail allows organizations to log, continuously monitor, and retain information about account activity related to actions in AWS, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default).
    • Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads. It monitors for activity that can indicate a possible account compromise, such as unusual API calls or potentially unauthorized deployments. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
    • Amazon Macie is a security service that uses machine learning to help customers and APN Partners by automatically discovering, classifying, and protecting sensitive data in AWS. This fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible.  
  • What tools are available to help me find personal data within my content on AWS?

    Amazon Macie is a security service that uses machine learning to help customers and APN Partners automatically discover, classify, and protect sensitive data in AWS. This fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks, such access to as sensitive data that has accidentally been made externally accessible. Macie is certified to internationally recognized standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, and customers and APN Partners can also use Macie to continuously monitor access to their data in order to detect suspicious activity based upon access patterns.

  • How can I control access to personal data within my content on AWS?

    To help customers and APN Partners with GDPR compliance, AWS has a number of tools to control access to personal data contained in their content on AWS. These tools include:

    Security by default means AWS services are designed to be secure by default. If the default configuration is used, access to resources is locked down to just the account owner and root administrator.

    • AWS Identity and Access Management (IAM) enables customers and APN Partners to manage access to AWS services and resources securely. Using IAM, organizations can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
    • AWS Multi-Factor Authentication adds an extra layer of protection on top of an AWS account’s user name and password. AWS gives customers the option of virtual and hardware MFA devices.
    • AWS Directory Service allows customers and APN Partners to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience.
    • AWS Config allows customers and APN Partners to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state.
    • AWS CloudTrail allows customers and APN Partners to log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure, which simplifies security analysis, resource change tracking, and troubleshooting.
    • Amazon Macie uses machine learning to help customers prevent data loss by automatically discovering, classifying, and protecting sensitive data in AWS. This fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible.
  • How can I encrypt personal data held in AWS to prevent unauthorized access?

    AWS offers customers and APN Partners the ability to add an additional layer of security to their data at rest in the cloud and help them meet their security of processing obligations as data controllers under the GDPR. Encryption tools available on AWS include:

    • Data encryption capabilities available in AWS storage and database services, such as Amazon Elastic Block Store, Amazon S3, Amazon Glacier, Amazon DynamoDB, Oracle RDS, SQL Server RDS, and Redshift
    • Flexible key management options, including AWS Key Management Service, allowing the choice of whether to have AWS manage the encryption keys or enable customers to keep complete control over keys
    • Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS
    • Dedicated, hardware-based cryptographic key storage using AWS CloudHSM, allowing customers to satisfy compliance requirements
     
    In addition, AWS provides APIs for customers and APN Partners to integrate encryption and data protection with any of the services they develop or deploy in an AWS environment.
  • How does AWS handle delete instructions from customers?

    AWS services allow for the deletion of content by customers on demand, using the AWS Management Console, APIs, and other input methods. For more information about specific service functionality, please see https://aws.amazon.com/documentation.  

  • How can I prove to a data protection regulator that my use of AWS complies with GDPR?

    AWS offers helpful information to customers and APN Partners, including several compliance reports from third-party auditors, who have verified our compliance with a variety of computer security standards and regulations, to prove the high levels of compliance AWS maintains for its infrastructure. These reports show our customers and APN Partners, that we are protecting their personal data they choose to process on AWS. A good examples of this are AWS's ISO 27001, 27017, and 27018 compliance. ISO 27018 contains security controls that focuses on protection of personal data. Details on AWS’s ISO 27108 compliance can be found here: https://aws.amazon.com/compliance/iso-27018-faqs/

    AWS is also compliant with the CISPE Code of Conduct for data protection. CISPE is a coalition cloud infrastructure (also known as Infrastructure as a Service) providers who offer cloud services to customers in Europe. The CISPE Code of Conduct helps cloud customers and APN Partners ensure that their cloud infrastructure provider is using appropriate data protection standards to protect their data consistent with the GDPR. A few key benefits of the Code include:

    • Clarifying who is responsible for what when it comes to data protection: The Code of Conduct explains the role of both the provider and the customer under the GDPR, specifically within the context of cloud infrastructure services.
    • The Code of Conduct sets out what principles providers should adhere to: The Code of Conduct outlines the actions and commitments that providers should undertake to comply with the GDPR and help customers and APN Partners comply.
    • The Code of Conduct gives customers and APN Partners information, relating to data protection and data security, that they need to make decisions about compliance: The Code of Conduct requires providers to be transparent about the steps they are taking to deliver on their security commitments. These steps involve notifications relating to data breaches, data deletion, and third-party sub-processing, as well as law enforcement, and governmental requests. Customers and APN Partners can use this information to gain a full understanding of the high levels of security provided.

     

compliance-contactus-icon
Have Questions? Connect with an AWS Compliance Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »