This Guidance provides a data anonymization capability that enables you to discover and protect sensitive data as it is stored and processed. For example, you can use this capability to anonymize national ID numbers, trade data, and healthcare information.
Note: [Disclaimer]
Architecture Diagram
[Architecture diagram description]
Step 1
Within AWS Organizations, enable Amazon GuardDuty, AWS Security Hub, Amazon Macie, and AWS Key Management Service (AWS KMS) for your home and operational AWS Regions.
Step 2
Configure GuardDuty and Security Hub in your home and operational Regions to provide comprehensive threat monitoring, centralize security incident management, and help achieve compliance with AWS security best practices and industry standards.
Step 3
Set up Macie in your home and operational Regions to identify sensitive data in your specific accounts or in Amazon Simple Storage Service (Amazon S3) buckets.
Step 4
Use AWS KMS to create and control cryptographic keys, facilitating secure data encryption across your AWS services.
Step 5
Use AWS Identity and Access Management (IAM) Identity Center to securely manage access to AWS resources by making sure that only authorized personnel and services can perform anonymization tasks and access anonymized data.
Step 6
Send relevant logs to a centralized log storage bucket for compliance retention and analysis.
Step 7
Use AWS Glue to orchestrate extract, transform, and load (ETL) workflows that prepare and transform data for anonymization, using its built-in personally identifiable information detection feature to automatically identify and redact sensitive information.
Step 8
Optionally, if you have your own scripts, use AWS Lambda to implement them and AWS Step Functions to orchestrate the workflows to seamlessly implement tasks and coordinate processes.
Step 9
Use Amazon S3 as a data lake for storing both raw and anonymized data.
Step 10
Use Amazon Redshift to store and manage structured, anonymized data in a data warehouse, enabling efficient querying and analysis while integrating with your data lake.
Step 1
Within AWS Organizations, enable Amazon GuardDuty, AWS Security Hub, Amazon Macie, and AWS Key Management Service (AWS KMS) for your home and operational AWS Regions.
Step 2
Configure GuardDuty and Security Hub in your home and operational Regions to provide comprehensive threat monitoring, centralize security incident management, and help achieve compliance with AWS security best practices and industry standards.
Step 3
Set up Macie in your home and operational Regions to identify sensitive data in your specific accounts or in Amazon Simple Storage Service (Amazon S3) buckets.
Step 4
Use AWS KMS to create and control cryptographic keys, facilitating secure data encryption across your AWS services.
Step 5
Use AWS Identity and Access Management (IAM) Identity Center to securely manage access to AWS resources by making sure that only authorized personnel and services can perform anonymization tasks and access anonymized data.
Step 6
Send relevant logs to a centralized log storage bucket for compliance retention and analysis.
Step 7
Use AWS Glue to orchestrate extract, transform, and load (ETL) workflows that prepare and transform data for anonymization, using its built-in personally identifiable information detection feature to automatically identify and redact sensitive information.
Step 8
Optionally, if you have your own scripts, use AWS Lambda to implement them and AWS Step Functions to orchestrate the workflows to seamlessly implement tasks and coordinate processes.
Step 9
Use Amazon S3 as a data lake for storing both raw and anonymized data.
Step 10
Use Amazon Redshift to store and manage structured, anonymized data in a data warehouse, enabling efficient querying and analysis while integrating with your data lake.
Implementation Resources
In today’s data-centric society, data anonymization is a critical step in protecting privacy and achieving compliance. It entails changing personal identifiers in a dataset, making it harder to track the data back to its original source. Data anonymization techniques help you keep the data’s utility while significantly reducing privacy issues. These techniques can enable your business to openly share and analyze data, facilitating improved cooperation and smart decision-making while helping you meet privacy requirements.
The data anonymization capability works as a bridge between harnessing data potential and conforming to privacy requirements in contexts where data is a valued commodity. This Guidance is not only about using the technology but also about fostering a culture of trust and appropriate data handling. Ensuring that anonymization procedures correspond effectively with legal requirements and organizational goals requires collaborative effort and shared responsibility among technical, legal, and governance teams.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.