The European Union’s General Data Protection Regulation (GDPR) protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.

AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018.

In addition to our own compliance, AWS is committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their activities. New Features are launched regularly, AWS has 500+ features and services focused on security and compliance.

AWS provides specific features and services which customers can leverage as they seek to comply with the GDPR.

HA_DynamoDB-DAX_HERO-ART

Access Control: Allow only authorized administrators, users and applications 

  • Multi-Factor-Authentication (MFA)
  • Fine granular access to objects in Amazon S3, Amazon SQS, and Amazon SNS
  • API-Request Authentication
  • Geo-Restrictions
  • Temporary access tokens through AWS Security Token Service
Learn More »
HA_EFS-Data-Encryption_hero-art

Monitoring and Logging: Get an overview about activities on your AWS resources

  • Asset Management and Configuration with AWS Config
  • Auditing and security analytics with AWS CloudTrail
  • Detailed information about flows in the network through Amazon VPC-FlowLogs
  • Rule-based configuration checks and actions with AWS Config Rules
  • Filtering and monitoring of HTTP access to applications with AWS WAF functions in AWS CloudFront
GC_Storage_HERO-ART

Encryption: Encrypt Data on AWS

  • Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
  • Centralized managed Key Management (by AWS Region)
  • IPsec tunnels into AWS with the VPN-Gateways
  • Dedicated HSM modules in the cloud with AWS CloudHSM
Learn More »

The General Data Protection Regulation (GDPR) is a new European privacy law due to become enforceable on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.

The GDPR will replace the existing Data Protection Directive (Europe Directive 95/46/EC). Beginning on May 25, 2018, the existing Data Protection Directive, and the laws relating to it, will no longer apply.

AWS compliance, data protection, and security experts have been working with customers around the world to answer their questions and help them prepare for running workloads in the AWS Cloud after the GDPR becomes enforceable. These teams have also been reviewing everything that AWS already does to ensure it complies with the requirements of the new GDPR. We can confirm that all AWS services will comply with the GDPR when it becomes enforceable in May of 2018.

In addition, we have a new Data Processing Agreement (GDPR DPA) that will meet the requirements of the GDPR. This GDPR DPA is available now to all AWS customers to help them prepare for May 2018. For additional information on the GDPR DPA, or to obtain a copy, please contact your AWS Account Manager.

Recently, AWS also announced compliance with the CISPE Code of Conduct. The CISPE Code of Conduct helps cloud customers assess how their cloud infrastructure provider complies with its data protection obligations under the GDPR. AWS has declared that Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon Elastic Block Storage (Amazon EBS) are fully compliant with the CISPE Code. This provides customers with additional assurances regarding their ability to fully control their data in a safe, secure, and compliant environment when they use AWS. More detail on AWS' compliance with the CISPE Code of Conduct can be found at the website: https://cispe.cloud/

AWS continually maintains a high bar for security and compliance across all of our global operations. Security has always been our highest priority – truly "job zero." Our industry-leading security provides the foundation for our long list of internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and others. AWS also helps customers meet local security standards such as BSI's Common Cloud Computing Controls Catalogue (C5), which is important in Germany.

AWS announced compliance with the CISPE Data Protection Code of Conduct. CISPE is a coalition of cloud infrastructure (also known as Infrastructure as a Service) providers who offer cloud services to customers in Europe. The CISPE Code of Conduct helps cloud customers ensure that their cloud infrastructure provider is using appropriate data protection standards to protect their data consistent with the GDPR. A few key benefits of the Code include:

  • Clarifying who is responsible for what when it comes to data protection: The Code of Conduct explains the role of both the provider and the customer under the GDPR, specifically within the context of cloud infrastructure services.
  • The Code of Conduct sets out what principles providers should adhere to: The Code of Conduct outlines the actions and commitments that providers should undertake to comply with the GDPR and help customers comply.
  • The Code of Conduct gives customers information, relating to data protection and data security, that they need to make decisions about compliance: The Code of Conduct requires providers to be transparent about the steps they are taking to deliver on their security commitments. These steps involve notifications relating to data breaches, data deletion, and third-party sub-processing, as well as law enforcement, and governmental requests. Customers can use this information to gain a full understanding of the high levels of security provided

For consideration of how AWS treats law enforcement requests, please see: "Addressing Data Residency with AWS"

One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organisational measures, as well as compliance policies.

AWS is already providing specific features and services which help customers to meet requirements of GDPR:
 

Access Control: Allow only authorized administrators, users and applications access to AWS resources

  • Multi-Factor-Authentication (MFA)
  • Fine granular access to objects in Amazon S3-Buckets/ Amazon SQS/ Amazon SNS and others
  • API-Request Authentication
  • Geo-Restrictions
  • Temporary access tokens through AWS Security Token Service

 

Monitoring and Logging: Get an overview about activities on your AWS resources

  • Asset Management and Configuration with AWS Config
  • Compliance Auditing and security analytics with AWS CloudTrail
  • Identification of configuration challenges through AWS Trusted Advisor
  • Fine granular logging of access to Amazon S3 objects
  • Detailed information about flows in the network through Amazon VPC-FlowLogs
  • Rule-based configuration checks and actions with AWS Config Rules
  • Filtering and monitoring of HTTP access to applications with WAF functions in AWS CloudFront

 

Encryption: Encrypt Data on AWS

  • Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
  • Centralized managed Key Management (by AWS Region)
  • IPsec tunnels into AWS with the VPN-Gateways
  • Dedicated HSM modules in the cloud with AWS CloudHSM

 

Strong Compliance Framework and Security Standards:

  • ISO 27001/9001 certified
  • ISO 27017/27018 certified
  • Cloud Computing Compliance Controls Catalog (C5 - German Government-backed attestation scheme)
  • AWS, alongside auditor TÜV TRUST IT, has published a Customer Certification Workbook that provides guidance on achieving German BSI IT Grundschutz compliance in the Cloud

Although it will not become enforceable until May 2018, we are encouraging our customers and partners to start preparing for the GDPR now. For those that have already implemented a high bar for compliance, security, and data privacy, the move to GDPR should be simple. For those who are yet to start their journey to GDPR compliance, we urge you to start reviewing your security, compliance, and data protection processes now to ensure a smooth transition in May 2018. Here are some of the key points that you should consider for GDPR compliance:

Territorial Reach: Determining whether the GDPR applies to an organisation’s activities is essential to ensuring that organisation's ability to satisfy its compliance obligations. The GDPR applies to all organisations that are established in the EU. However, depending on your activities, the GDPR may also apply to you if you are established outside the EU.

Data Subject Rights: The GDPR enhances the rights of data subjects in a number of ways. For example, data subjects have the right to object to the processing of their data and they have the right to data portability. You will need to make sure you can accommodate the rights of data subjects if you are processing their personal data.

Data Breach Notifications: If you are a data controller, you will need to report data breaches to the data protection authorities without undue delay. Using AWS gives you control over how you want to process personal data and protect it. This gives you the ability to monitor your own environment for privacy breaches and to notify regulators and affected individuals as required under the GDPR. In addition, AWS will notify you without undue delay if we are aware of a breach of our security standards relating to the AWS network.

Data Protection Officer (DPO): You may need to appoint a DPO who will need to manage data security and other issues relating to the processing of personal data.

Data Protection Impact Assessment (DPIA): You may need to conduct, and in some circumstances you may be required to file with the supervisory authority, a DPIA for your processing activities. This will need to identify your data handling procedures and processes, as well as the controls in place to protect personal data.

Data Processing Agreement (DPA): You may need a DPA that will meet the requirements of the GDPR particularly if personal data is transferred outside the EEA. AWS offers customers a GDPR DPA that is available on request to help customers prepare for next May.

AWS offers a wide range of services and specific service features which help customers to meet requirements of the GDPR, including services for access controls, monitoring, logging and encryption. More information on these can be found in the section above, "What services does AWS offer customers to help them comply with the GDPR?"

We also have teams of compliance, data protection, and Security experts, as well as AWS Partner Network Partners, working with customers across Europe to answer their questions and help them prepare for running workloads in the cloud after the GDPR becomes enforceable. For additional information on this, please contact your AWS Account Manager.

Yes. For more information on how customers can enter into the AWS Data Processing Addendum, please visit here (sign-in required).

The Article 29 Working Party has approved the AWS Data Processing Addendum, which includes the Model Clauses. The Article 29 Working Party has found that the AWS Data Processing Addendum meets the requirements of the Directive with respect to Model Clauses. This means that the AWS Data Processing Addendum is not considered “ad hoc”. For more detail on the approval of the AWS Data Processing Addendum from the Article 29 Working Party, please visit: https://cnpd.public.lu/en/actualites/international/2015/03/AWS.html

The Luxembourg Data Protection Authority (the CNPD) acted as the lead authority on behalf of the Article 29 Working Party in accordance with procedure of the Article 29 Working Party.

For more information on how customers can enter into the AWS Data Processing Addendum, please visit here (sign-in required).

The Standard Contractual Clauses (also known as "model clauses") are a set of standard provisions defined and approved by the European Commission that can be used to enable personal data to be transferred in a compliant way by a data controller to a data processor outside the European Economic Area.

Data Privacy

Customers control their customer content. With AWS, customers:

  • Determine where their customer content will be stored, including the type of storage and geographic region of that storage.
  • Choose the secured state of their customer content. We offer customers strong encryption for customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.
  • Manage access to their customer content and AWS services and resources through users, groups, permissions and credentials that customers control.
Learn More »

Security by Design

The SbD approach is meant to achieve the following:

  • Creation of forcing functions that cannot be overridden by the users who aren't allowed to modify those functions.
  • Establishing reliable operation of controls.
  • Enabling continuous and real-time auditing.
  • The technical scripting of your governance policy.
Learn More »

EU Data Protection

GDPR is the biggest change in data protection laws in Europe since the introduction of the EU Data Protection Directive, in 1995. It aims to strengthen the security and protection of personal data in the EU, and harmonize EU data protection law. GDPR will replace the EU Data Protection Directive, as well as all local laws relating to it.

Learn More »

Certifications & Programs

AWS alignment with ISO 27018 has been validated by an independent third-party assessor. ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that demonstrates AWS' commitment to the privacy and protection of customer content.

Learn More »

Define standards and best practices for your applications and validate adherence to these standards.

inspector thumbnail

To help you get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

Learn more about Amazon Inspector »

Proactively protect Personally identifiable information (PII) and know when it moves.

ha_ed_reInvent2017_guardduty

Enabled with a few clicks in the AWS Management Console, Amazon GuardDuty can immediately begin analyzing billions of events across your AWS accounts for signs of risk. GuardDuty identifies suspected attackers through integrated threat intelligence feeds and uses machine learning to detect anomalies in account and workload activity. When a potential threat is detected, the service delivers a detailed security alert to the GuardDuty console and AWS CloudWatch Events. This makes alerts actionable and easy to integrate into existing event management and workflow systems.

Learn more about Amazon GuardDuty »

Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

ha_ed_IAM_380x186

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Learn more about AWS IAM »
AWS Summit Tel Aviv 2017 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
iam

Easily create and control the keys used to encrypt your data.

HA_KMS_GENERAL

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Learn more about AWS KMS »

Data Sovereignty

Keys are only stored and used in the region in which they are created. They cannot be transferred to another region. For example; keys created in the EU-Central (Frankfurt) region are only stored and used within the EU-Central (Frankfurt) region.

Built-in Auditing

AWS Key Management Service works with AWS CloudTrail to provide you with logs of API calls made to or by KMS. These logs help you meet compliance and regulatory requirements by providing details of when keys were accessed and who accessed them.

Getting Started with KMS

AWS_KMS_video_intro

Get the Most from KMS

reinvent-img