Which AWS services are GDPR ready? Can I build and run GDPR compliant applications on AWS?
All AWS Services can be used in compliance with GDPR
Many requirements under the GDPR focus on ensuring effective control and protection of personal data. AWS services give you the capability to implement your own security measures in the ways you need in order to enable your compliance with the GDPR, including specific measures such as:
Encryption of personal data
Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing
This is an advanced set of security and compliance services that are designed specifically to handle the requirements of the GDPR. There are numerous AWS services that have particular significance for customers focusing on GDPR compliancea and AWS has 500+ features and services focused on security and compliance.
For more information, have a look at the AWS GDPR Center.
The AWS Shared Responsibility Model and GDPR
AWS has a shared responsibility model with the customer and this doesn't change under GDPR. AWS is responsible for securing the underlying infrastructure that supports the cloud and the services provided; while customers, acting either as data controllers or data processors, are responsible for any personal data they put in the cloud.
You can find more information about the shared responsibility under GDPR in the AWS Security Blog.
Related
I am about to launch a webapp based on subscription. FYI, the web application manages health care data, and my customers are concerned about the security of data in the cloud.
Is there any certificate, or any official information I can give to my customers on the behalf of AWS proving that the data in any storage used by my application will be encrypted?
THANK YOU
From What is AWS Artifact?:
AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports. You can submit the security and compliance documents (also known as audit artifacts) to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services that you use. You can also use these documents as guidelines to evaluate your own cloud architecture and assess the effectiveness of your company's internal controls. AWS Artifact provides documents about AWS only. AWS customers are responsible for developing or obtaining documents that demonstrate the security and compliance of their companies.
It explains what AWS does. However, you would also need to prove that you are using the cloud correctly, such as verifying user's identities and not making buckets public.
NO, there is no such a document, you need to apply and obtain this certificate.
AWS is complaint, for there part Security of the cloud, and you are responsible for the Security in the cloud. AWS Artifact is a repository.
AWS Config is the tool you will use to monitor the configuration of
your stack, can repair configurations also.
AWS Cloudwach will monitor the performance, brings you alerts and evoke Lambda
AWS Cloud Trail will monitor the API calls.
AWS Macy to check your buckets for Personal Identifiable information.
Then you are the one who enable encryption and choose the Key management and rotation, AWS KMS.
Just to mention few services to be aware of. Best regards.
For architecting a multi-tenant SAAS serverless application on AWS, This is how we plan to manage "users" and multi-tenancy. A relevant blog post here: https://medium.com/#tarekbecker/serverless-enterprise-grade-multi-tenancy-using-aws-76ff5f4d0a23
In order to ensure business continuity, we would also like to ensure
Regional failover
Data residency for personally identifiable information
Disaster recovery
What changes should be made in the following architecture in order to integrate these aspects into the serverless application?
Data -- A perfect figure and shows the characteristics of any individual. When it comes to security, it's a null hypothesis statement " The data is secured ". We are believing it, the statement is true and how sure the organizational data is secured with the cloud.
Even though there is a security concern in all the three models of cloud services --
SaaS vs PaaS vs IaaS models
. How can we handle the data secured with High-reliability, maintain resource and cost-effective?
Google values customers data and commits to uphold trust to the highest degree. see terms of service and security and privacy. As Google puts security to the forefront, the onus is on the user to ensure that they are using the necessary tools (Provided by google) and steps to secure resources. Google Infrastructure Security Design will explain what is managed on their part, but implementing other means of securing resources she be done on the clients part as well.
Looking for budget friendly IDS/IPS for my servers.The time frame would be once in three months. Are there any services i can use to run a test once in 3 months and pay for that particular period of time
There are services like AWS Shield and AWS WAF that you can use for IDS/IPS.
AWS Shiled
AWS Shield is a managed Distributed Denial of Service (DDoS)
protection service that safeguards applications running on AWS. AWS
Shield provides always-on detection and automatic inline mitigations
that minimize application downtime and latency, so there is no need to
engage AWS Support to benefit from DDoS protection. There are two
tiers of AWS Shield - Standard and Advanced.
AWS WAF
AWS WAF is a web application firewall that helps protect your web
applications or APIs against common web exploits that may affect
availability, compromise security, or consume excessive resources. AWS
WAF gives you control over how traffic reaches your applications by
enabling you to create security rules that block common attack
patterns, such as SQL injection or cross-site scripting, and rules
that filter out specific traffic patterns you define. You can get
started quickly using Managed Rules for AWS WAF, a pre-configured set
of rules managed by AWS or AWS Marketplace Sellers. The Managed Rules
for WAF address issues like the OWASP Top 10 security risks. These
rules are regularly updated as new issues emerge. AWS WAF includes a
full-featured API that you can use to automate the creation,
deployment, and maintenance of security rules.
You can also buy third-party software that you can run on EC2 instances for IDS/IPS.
Intrusion Detection & Prevention Systems
EC2 Instance IDS/IPS solutions offer key features to help protect your
EC2 instances. This includes alerting administrators of malicious
activity and policy violations, as well as identifying and taking
action against attacks. You can use AWS services and third party
IDS/IPS solutions offered in AWS Marketplace to stay one step ahead of
potential attackers.
We are developing a custom application, API architecture, related services and processes, based on a LAMP stack and all relevant AWS services: Elastic Beanstalk, EC2, S3, ELB, RDS, API Gateway, Lambda, SNS etc. We would propose to manage the app and all related infrastructure for a flat monthly rate to our client base. We would handle all payment details with Amazon directly for all clients. We are essentially building out a multi-tenant application on AWS. We want to be able to service the AWS infrastructure for potentially 1000s of accounts/clients.
Here is the question: What are the pros/cons of:
Option A) hosting all services in a single AWS account using carefully structured IAM roles, users, and permissions, and co-mingling customer data while insuring logical and secure separation of customer data within the account?
- VS -
Option B) creating a unique AWS for each account each client, and manage each account via a local profile. In this approach, all data is fully segregated, but we have to manage common activities (user management, code deployment, operations) across 100s of discrete accounts. There is a data security advantage, but it is feasible to manage that many accounts? Any tools or processes for doing it this way? Each company technician would need a login across every account.
The isolation of option B improves security for each client, as any potential security breach would be limited to a single account. But would code deployments be a nightmare? But what about configuration management?
Is there an account federation service that would help manage option B? Or am I nuts for even considering option B?
Lots to think about, but IMO, in this instance, security trumps all other concerns and that would make me choose option B with the little I know about your setup.
Just think what would happen to your business if the 'master' account was compromised - by a hacker (internal or external) - your clients would be running for the door.
Having lots of accounts to manage is an obstacle, but if treat your infrastructure as code, your code-deployments and everything else can be automated - with 1000s of accounts you will have no choice but to put those systems in place.