GDPR - AWS Audit Manager

What is GDPR?Use AWS Audit Manager to support your audit preparation

AWS Audit Manager provides a prebuilt standard framework that supports the GDPR. By default, this framework contains only manual controls. These manual controls don't collect evidence automatically. However, if you want to automate evidence collection for some controls under GDPR, you can use the custom control feature in AWS Audit Manager. For more information, see Use AWS Audit Manager to support your GDPR audit preparation.

Topics

What is GDPR?
Use AWS Audit Manager to support your audit preparation

The General Data Protection Regulation (GDPR) is a new European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC. It's intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

The GDPR applies to all organizations that are established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information that relates to an identified or identifiable natural person.

You can find the GDPR framework in the framework library page of AWS Audit Manager. For more information, see the General Data Protection Regulation (GDPR) Center.

To automate evidence collection for controls under GDPR, you can use AWS Audit Manager to create custom controls for GDPR by referring to the recommended data source configuration in the following table. For instructions on how to create a custom control, see Creating a custom control.

Control name	Control set	Recommended control data source mapping
Article 25 Data protection by design and by default.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an Allow:: and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: 1.1 - 3.14 Config.1
Article 25 Data protection by design and by default.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an Allow:: and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: 1.1 - 3.14 Config.1
Article 25 Data protection by design and by default.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an Allow:: and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: 1.1 - 3.14 Config.1
Article 30 Records of processing activities.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUDTRAIL_SECURITY_TRAIL_ENABLED REDSHIFT_CLUSTER_CONFIGURATION_CHECK CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 30 Records of processing activities.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 30 Records of processing activities.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an Allow:: and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 30 Records of processing activities.4	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an Allow:: and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 30 Records of processing activities.5	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 32 Security of processing.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that are not Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.4	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED

After you create your new custom controls for GDPR, you can add them to a custom GDPR framework. For more information, see Creating a custom framework and Editing a custom framework. You can then create an assessment from the custom GDPR framework so that AWS Audit Manager begins collecting evidence automatically for the custom controls that you added. For instructions on how to create an assessment from a framework, see Creating an assessment.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

FedRAMP Moderate Baseline by Allgress

Gramm-Leach-Bliley Act