Data Protection by Design and by Default

The Nitro Systems is the underlying platform for all modern Amazon EC2 instances. It is a combination of purpose-built server designs, data processors, system management components, and specialized firmware which provide the underlying platform for all Amazon EC2 instances launched since the beginning of 2018. By design the Nitro System has no operator access; it means that no mechanism for any system or person to log in to Amazon EC2 Nitro hosts, access the memory of Amazon EC2 instances, or access any customer data stored on local encrypted instance storage or remote encrypted Amazon EBS volumes. If any AWS operator, including those with the highest privileges, needs to do maintenance work on an Amazon EC2 server, they can only use a limited set of authenticated, authorized, logged, and audited administrative APIs. None of these APIs provide an operator the ability to access customer data on the Amazon EC2 server. Because these are designed and tested technical restrictions built into the Nitro System itself, no AWS operator can bypass these controls and protections. You can find additional details about Nitro Systems security design and the independent affirmation of these security capabilities from NCC Group, a leading cybersecurity consulting firm, in the public documentation.

Additionally, any time a user or an application tries to use the AWS Management Console, the AWS API, or the AWS CLI, a request is sent to AWS. The AWS service receives the request and executes a set of several steps to determine whether to allow or deny the request, according to a specific policy evaluation logic. Except for root credential requests, all requests on AWS are denied by default (the default deny policy is applied). This means that everything that is not explicitly allowed by the policy is denied. In the definition of policies and as a best practice, AWS suggests that you apply the least privilege principle, which means that every component (such as users, modules, or services) must be able to access only the resources required to complete its tasks.

This approach aligns with Article 25 of the GDPR, which states that “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.

AWS also provides tools to implement infrastructure as code, which is a powerful mechanism for including security from the beginning of the design of an architecture. AWS CloudFormation provides a common language to describe and provision all infrastructure resources, including security policies and processes. With these tools and practices, security becomes part of your code and can be versioned, monitored, and modified (with a versioning system) according to the requirements of your organization. This enables data protection by design, because security processes and policies can be included in the definition of your architecture, and can also be continuously monitored by security measures in your organization.