GDPR - AWS Audit Manager

GDPR

AWS Audit Manager provides a prebuilt standard framework that supports the GDPR. By default, this framework contains only manual controls. These manual controls don't collect evidence automatically. However, if you want to automate evidence collection for some controls under GDPR, you can use the custom control feature in AWS Audit Manager. For more information, see Use AWS Audit Manager to support your GDPR audit preparation.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC. It's intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

The GDPR applies to all organizations that are established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information that relates to an identified or identifiable natural person.

You can find the GDPR framework in the framework library page of AWS Audit Manager. For more information, see the General Data Protection Regulation (GDPR) Center.

Use AWS Audit Manager to support your GDPR audit preparation

To automate evidence collection for controls under GDPR, you can use AWS Audit Manager to create custom controls for GDPR by referring to the recommended data source configuration in the following table. For instructions on how to create a custom control, see Creating a custom control.

Control name Control set Recommended control data source mapping

Article 25 Data protection by design and by default.1

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks:

Article 25 Data protection by design and by default.2

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks:

Article 25 Data protection by design and by default.3

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks:

Article 30 Records of processing activities.1

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check:

Article 30 Records of processing activities.2

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check:

Article 30 Records of processing activities.3

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check:

Article 30 Records of processing activities.4

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

  • AWS CloudTrail bucket not public

  • Show all policies with an Allow:*:* and list all principals and services using those policies

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check:

Article 30 Records of processing activities.5

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show all root account events over term

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check:

Article 32 Security of processing.1

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show data at rest encryption for all services

  • Show data in transit encryption for all services

  • MFA Delete enabled for Amazon S3

  • All Amazon Inspector scans

  • Show all instances that are not Amazon Inspector enabled

  • Show all load balancers that are listening on HTTPS (SSL)

  • AWS CloudTrail encrypted at rest

  • Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings

  • All root activity

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

Article 32 Security of processing.2

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show data at rest encryption for all services

  • Show data in transit encryption for all services

  • MFA Delete enabled for Amazon S3

  • All Amazon Inspector scans

  • Show all instances that aren't Amazon Inspector enabled

  • Show all load balancers that are listening on HTTPS (SSL)

  • AWS CloudTrail encrypted at rest

  • Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings

  • All root activity

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

Article 32 Security of processing.3

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show data at rest encryption for all services

  • Show data in transit encryption for all services

  • MFA Delete enabled for Amazon S3

  • All Amazon Inspector scans

  • Show all instances that aren't Amazon Inspector enabled

  • Show all load balancers that are listening on HTTPS (SSL)

  • AWS CloudTrail encrypted at rest

  • Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings

  • All root activity

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

Article 32 Security of processing.4

Chapter 4 - Controller and Processor

You can create a custom control in AWS Audit Manager that supports this GDPR control.

When you specify the control details, enter the following under Testing information:

  • Show data at rest encryption for all services

  • Show data in transit encryption for all services

  • MFA Delete enabled for Amazon S3

  • All Amazon Inspector scans

  • Show all instances that aren't Amazon Inspector enabled

  • Show all load balancers that are listening on HTTPS (SSL)

  • AWS CloudTrail encrypted at rest

  • Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings

  • All root activity

When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules:

After you create your new custom controls for GDPR, you can add them to a custom GDPR framework. For more information, see Creating a custom framework and Editing a custom framework. You can then create an assessment from the custom GDPR framework so that AWS Audit Manager begins collecting evidence automatically for the custom controls that you added. For instructions on how to create an assessment from a framework, see Creating an assessment.