Navigating GDPR Compliance on AWS

Amazon has published an excellent whitepaper about navigating GDPR compliance on AWS, it’s 30 pages long and if you have the time, I recommend you read it.

For those of you who aren’t going to read it because you’re too busy working on growing your business (as you definitely should), I read and summarized it for you (check out the summary table).

‍

Compliance

• All AWS services can be used in compliance with the GDPR.
• The AWS GDPR DPA is incorporated into the AWS Service Terms and applies automatically to all customers globally who require it to comply with the GDPR.
• AWS Artifact is a no-cost, self-service portal for on-demand access to AWS compliance reports. Customers can take advantage of internationally recognized certifications and accreditations, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others.

‍

Action Items

1. AWS Identity and Access Management (IAM)

• Don’t use the root account for day-to-day operations, created dedicated IAM users, roles, and permissions while applying the least privilege principle.
• Use IAM Access Analyzer to discover any blind spots and policy misconfigurations that may expose your internal resources to the world.
• Use Access Analyzer for S3 to review your S3 buckets and block public access (unless you have a specific business need for such a use case).
• Check and update your IAM policies to remove unused permissions.
  
  

2. Temporary Access Tokens Through AWS STS

• Use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that grant access to your AWS resources.
• Temporary security credentials are for short-term use (from 15 minutes to 12 hours).
• After temporary security credentials expire, they cannot be reused.
  
  

3. Multi-Factor-Authentication

• Enable multi-factor authentication (MFA) for your AWS account, individual IAM users, and service APIs.
• Configure MFA Delete to control changes in the versioning state of a bucket and permanently delete an object version.
  
  

4. Access to AWS Resources

• Apply granular access to your AWS resources, you can grant different levels of permissions to different people for different resources using IAM identity-based policies.
  
  

5. Defining Boundaries for Regional Services Access

• Disable AWS regions that you don’t require for your business.
  
  

6. Control Access to Web Applications and Mobile Apps

• Use Amazon Cognito to manage data access control to your web applications and mobile apps for your users, including multi-factor authentication (MFA), and adaptive (risk-based) authentication.
  
  

7. Manage and Configure Assets with AWS Config

• Enable AWS Config to keep an inventory of your AWS resources, and evaluate their configurations.
  
  

8. Compliance Auditing and Security Analytics

• Enable AWS CloudTrail to monitor your AWS account activity (users, services, and APIs).
• Combine CloudTrail logs from multiple regions and AWS accounts into a single Amazon S3 bucket with restricted access in an AWS account designated for logging (Log Archive) to prevent their deletion.
• Encrypt the logs at rest using Server-Side Encryption with Amazon S3-managed encryption keys (SSE-S3) or AWS KMS–managed keys (SSE-KMS).
• Validate the integrity of log files using SHA-256 for hashing and SHA-256 with RSA for digital signing.
• Use the same Log Archive account to centralize logs from other sources, such as CloudWatch Logs and AWS load balancers.
• Configure a Security Information and Event Management (SIEM) solution to ingest and analyze your logs, and alert you about any abnormal activity.
  
  

9. Collecting and Processing Logs

• Enable and monitor Amazon CloudWatch logs for all supported AWS services.
• Configure data retention policy for all logs (by default, CloudWatch logs are kept indefinitely and never expire).
  
  

10. Discovering and Protecting Data at Scale with Amazon Macie

• Enable Amazon Macie to identify and protect sensitive data (PII) across your S3 buckets.
  
  

11. Centralized Security Management

• Use AWS Control Tower to set up and govern secure, multi-account AWS environments.
• Enable AWS Security Hub to monitor and prioritizes security and compliance findings from across AWS accounts and services.
• Enable Amazon GuardDuty to enrich your logs with threat intelligence data, and identify unexpected and potentially unauthorized, and malicious activity within your AWS environment.
• Enable Amazon Inspector to run automated security assessments (vulnerability scans) of applications deployed on Amazon EC2 instances and your container images on Amazon ECR.
• Configure Amazon CloudWatch Events to automate incident response to security events and findings across multiple AWS accounts.
• Use AWS Organizations to centrally manage and govern multi-account environments on AWS.
• Use AWS Systems Manager to manage and automate operational tasks across your AWS infrastructure (e.g., software deployments, operational alerts, software inventory, and patch compliance status).
  
  

12. Encrypt Data at Rest

• Encrypting data at rest is vital for regulatory compliance and data protection.
• Encrypt Amazon EBS volumes and configure Amazon S3 buckets for Server-Side Encryption (SSE) using AES-256 encryption.
• Encrypt files on EC2 instance stores by using either Disk-level encryption or filesystem-level encryption.
  
  

13. Encrypt Data in Transit

• Encrypt data in transit from one system to another, including resources within and outside of AWS.
• Configure a VPN to protect communication between your Amazon VPC and your corporate data center.
• Use HTTPS endpoints (TLS) for communicating with Amazon API Gateway, and distributing content through Amazon CloudFront (CDN).
• Use the AWS Certificate Manager (ACM) service to generate, manage, and deploy the private and public certificates for your Elastic Load Balancers.
  
  

14. Encryption Tools

• AWS offers four primary tools for cryptographic operations:

1. AWS Key Management Service (AWS KMS) is an AWS-managed service that generates and manages both root keys and data keys. AWS KMS is integrated with many AWS services to provide server-side encryption of data using AWS KMS keys from customer accounts. AWS KMS Hardware Security Modules (HSMs) are FIPS 140-2 Level 2 validated.
2. AWS CloudHSM provides HSMs that are FIPS 140-2 Level 3 validated. They securely store a variety of your self-managed cryptographic keys, including KMS keys and data keys.
3. AWS Encryption SDK provides a client-side encryption library for implementing encryption and decryption operations on all types of data.
4. Amazon DynamoDB Encryption Client provides a client-side encryption library for encrypting data tables before sending them to a database service, such as Amazon DynamoDB.
   
   

Contact Us

Don’t lose deals with corporate customers due to security and compliance issues, let our Cybersecurity experts verify that your AWS environment is secure and compliant. Contact us at hello@iothreat.com
‍