In May 2018, the General Data Protection Regulation became enforceable. While it is largely a European Union regulation, you are still covered by it if you store or process personal information of EU citizens.
If you use Amazon Web Services, you already know about many of the common security issues that can arise if you’re not on top of your game. But GDPR opens the door to a whole new set of security concerns and potential pitfalls, even for companies that aren’t based in the EU. Fortunately, AWS has taken steps to achieve GDPR compliance, but since it operates using a shared responsibility model, that means you’re on the hook for compliance, as well. With Threat Stack, you can secure your AWS infrastructure and uphold your end of the shared responsibility arrangement without slowing down DevOps. In addition, our intrusion detection platform helps you meet GDPR compliance obligations by helping you achieve observability throughout your infrastructure.
In this post, we discuss the steps AWS has taken to ensure GDPR compliance and what you can do to guarantee that your own infrastructure or system is likewise compliant.
AWS is Ready and Compliant With the GDPR
According to Amazon’s Chad Woolf, AWS’ features and tools comply with the GDPR, allowing customers to deploy a variety of services to help them with their own GDPR compliance. There are some things you should know, however. Most AWS services are now compliant when it comes to encryption, deletion, and processing monitoring. But some are only compliant for one or two of these three factors. Amazon Elastic Container Service (ECS) and its Kubernetes version (EKS), Amazon CloudSearch, and Amazon ElasticCache for Memcached are not cleared for encryption — only deletion and monitoring of processing. On the other hand, Amazon Comprehend is only cleared to help you with encryption. To see how services help you with encryption, deletion, and monitoring, check Amazon’s Service Capabilities Chart for GDPR.
AWS not only guarantees that their services are GDPR compliant, but also they have several services that can help you towards your own journey to compliance, including:
- Amazon GuardDuty: Provides threat intelligence and identifies potentially malicious IP connections at the network level.
- Amazon Macie: Uses machine learning to help you discover and secure personal data that is kept in Amazon S3.
- Amazon Inspector: Automates security assessments to ensure that your applications are compliant with GDPR and other regulations.
- AWS Config Rules: Monitors cloud resources to ensure that they are compliant with security policies.
Amazon Web Services is CISPE Code of Conduct Compliant
Amazon Web Services conforms to the CISPE (Cloud Infrastructure Services Providers in Europe) Code of Conduct. This is significant because CISPE’s rules help cloud users ensure that their cloud provider has the data protection controls, policies, and standards that can be used to protect data in such a way that they are also compliant with GDPR. Moreover, various services under the AWS umbrella have been declared to be CISPE compliant, including:
- Amazon EC2
- Amazon Elastic Block Storage
- Amazon RDS
- Amazon S3
- AWS CloudTrail
- AWS Identity and Access Management
Aside from being compliant with the CISPE Code of Conduct, AWS also has several certifications and resources that can familiarize you with its data privacy and security policies, such as:
- BSI’s Common Cloud Computing Controls Catalog
- ISO 27017 (cloud security)
- ISO 27018 (cloud privacy)
- SOC 1, SOC 2, and SOC 3
- PCI DSS Level 1
How AWS Helps You Be GDPR Compliant
According to Stephen Schmidt, Amazon has always been ready for the GDPR, having made AWS security a top priority. When talks about the GDPR surfaced, Amazon started working on compliance not just in Europe, but also in all regions they serve. Schmidt says that they have designed AWS to be the most versatile, secure, and powerful cloud-computing environment available today.
Not only that, AWS also provides the tools you need to help with GDPR compliance when you are using their infrastructure. One such tool is the Data Processing Agreement (DPA), which aims to help their customers meet GDPR compliance regulations.
AWS also has compliance experts, security experts, and data protection specialists who can help with your questions, especially on how to run workloads on AWS that are compliant with GDPR rules.
AWS Shares the Responsibility With You
Under GDPR regulations, you either act as a data processor or a data controller. Depending on your role, you have a different set of responsibilities under GDPR. Amazon acts as the data processor in this relationship and is responsible for protecting the infrastructure where your apps and data are hosted, along with other infrastructures.
You, on the other hand, are the data controller. There are also times when you would act as both the data controller and the data processor. Fortunately, AWS has features and tools that can help you carry out your responsibilities.
Important Steps for AWS GDPR Compliance
While AWS is designed to be ready for GDPR, you still need to do the following to be GDPR compliant:
- Determine whether or not the GDPR applies to your organization and the data you store. If it does apply, you need to ensure that you can keep the rights of your data subjects private, especially if you are processing personal data from them.
- Determine whether you are the data controller. Being the data controller means that you are responsible for notifying the authorities if a data breach occurs. Such notification must take place not more than 72 hours after you have become aware of a data breach.
- Appoint or hire a data protection officer (DPO), the individual who will manage all issues related to data security and processing.
- Write up and conduct a Data Protection Impact Assessment (DPIA) to help identify and minimize data protection risks. You also need a data processing agreement, which will be important if you transmit personal data out of the European Union.
GDPR is one of the most stringent frameworks we’ve seen, and it’s easy to feel overwhelmed by its requirements. Fortunately, a comprehensive intrusion detection platform like Threat Stack’s Cloud Security Platform® can help you achieve, demonstrate, and document compliance with GDPR, as well as other compliance frameworks such as PCI, HIPAA, SOC 2, and ISO 27001. To learn more about how Threat Stack can get you up to speed, check out our GDPR microsite, and feel free to sign up for a demo.