GDPR 2016 - AWS Audit Manager

GDPR 2016

AWS Audit Manager provides a prebuilt standard framework that supports the General Data Protection Regulation (GDPR) 2016.

This framework contains only manual controls. These manual controls don't collect evidence automatically. However, if you want to automate evidence collection for some controls under GDPR, you can use the custom control feature in Audit Manager. For more information, see Using this framework.

What is the GDPR?

The GDPR is a European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC. It's intended to harmonize data protection laws throughout the European Union (EU). It does this by applying a single data protection law that's binding throughout each EU member state.

The GDPR applies to all organizations that are established in the EU and to organizations (no matter whether they were established in the EU) that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information that relates to an identified or identifiable natural person.

You can find the GDPR framework in the framework library page of Audit Manager. For more information, see the General Data Protection Regulation (GDPR) Center.

Using this framework

You can use the GDPR 2016 framework in Audit Manager to help you prepare for audits.

The framework details are as follows:

Framework name in AWS Audit Manager Number of automated controls Number of manual controls Number of control sets

General Data Protection Regulation (GDPR) 2016

0 378 10

You can find the GDPR 2016 framework under the Standard frameworks tab of the Using the framework library to manage frameworks in AWS Audit Manager in Audit Manager. This standard framework contains manual controls only.

Note

If you want to automate evidence collection for GDPR, you can use Audit Manager to create your own custom controls for GDPR. The following table provides recommendations on the AWS data sources that you can map to GDPR requirements in your custom controls. Although some of the following data sources are mapped to multiple controls, keep in mind that you're charged only once for each resource assessment.

The following recommendations use AWS Config and AWS Security Hub as data sources. To successfully collect evidence from these data sources, make sure that you followed the instructions to enable and set up AWS Config and AWS Security Hub in your AWS account. After you've set up both services in this way, Audit Manager collects evidence each time an evaluation occurs for the specified AWS Config rule or Security Hub control.

Control name Control set Recommended control data source mapping

Article 25 Data protection by design and by default.1

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Choose AWS Security Hub as the data source type, and select the following Security Hub controls as data source mappings:

Article 25 Data protection by design and by default.2

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Choose AWS Security Hub as the data source type, and select the following Security Hub controls as data source mappings:

Article 25 Data protection by design and by default.3

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Choose AWS Security Hub as the data source type, and select the following Security Hub controls as data source mappings:

Article 30 Records of processing activities.1

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping:

Article 30 Records of processing activities.2

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping:

Article 30 Records of processing activities.3

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping:

Article 30 Records of processing activities.4

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping:

Article 30 Records of processing activities.5

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping:

Article 32 Security of processing.1

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show data at rest encryption for all services

  • Show data in transit encryption for all services

  • MFA Delete enabled for Amazon S3

  • All Amazon Inspector scans

  • Show all instances that are not Amazon Inspector enabled

  • Show all load balancers that are listening on HTTPS (SSL)

  • AWS CloudTrail encrypted at rest

  • Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings

  • All root activity

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Article 32 Security of processing.2

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show data at rest encryption for all services

  • Show data in transit encryption for all services

  • MFA Delete enabled for Amazon S3

  • All Amazon Inspector scans

  • Show all instances that aren't Amazon Inspector enabled

  • Show all load balancers that are listening on HTTPS (SSL)

  • AWS CloudTrail encrypted at rest

  • Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings

  • All root activity

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Article 32 Security of processing.3

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show data at rest encryption for all services

  • Show data in transit encryption for all services

  • MFA Delete enabled for Amazon S3

  • All Amazon Inspector scans

  • Show all instances that aren't Amazon Inspector enabled

  • Show all load balancers that are listening on HTTPS (SSL)

  • AWS CloudTrail encrypted at rest

  • Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings

  • All root activity

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

Article 32 Security of processing.4

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show data at rest encryption for all services

  • Show data in transit encryption for all services

  • MFA Delete enabled for Amazon S3

  • All Amazon Inspector scans

  • Show all instances that aren't Amazon Inspector enabled

  • Show all load balancers that are listening on HTTPS (SSL)

  • AWS CloudTrail encrypted at rest

  • Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings

  • All root activity

When you set up the control data sources, we recommend that you include all of the following as data sources:

Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:

After you create your new custom controls for GDPR, you can add them to a custom GDPR framework. You can then create an assessment from the custom GDPR framework. This way, Audit Manager can collect evidence automatically for the custom controls that you added.

Next steps

For instructions on how to create an assessment using this framework, see Creating an assessment in AWS Audit Manager.

For instructions on how to customize this framework to support your specific requirements, see Making an editable copy of an existing framework in AWS Audit Manager.

Additional resources