AWS GDPR compliance, privacy and personal data protection are one of the most common concerns among cloud teams that run workloads in the AWS Cloud.
When thinking about the different mechanisms to protect privacy and gain trust from the users who utilize our services, Compliance is one of the words that comes to mind. Whether an organization is part of health and pharmaceutical, finance, government, or any other field, it will have to follow regulatory standards (e.g., SOC2, NIST 800-53, PCI-DSS, GDPR, etc.).
In the case of GDPR, the first function of compliance is to detect possible data protection violations, and prevent them. After all, a fine for a GDPR violation can be as high as 20 million euros, or 4 percent of a company’s annual global revenue from the year before – whichever is higher.
Let’s discover how to validate GDPR compliance for AWS with Sysdig!
What is GDPR?
The GDPR or General Data Protection Regulation is one of the regulations you must follow if you process personal data from EU citizens, or if you are located in the EU and are a processor of personal data. This personal data includes a person’s name, government ID numbers, the location information, as well as IP addresses, cookies, and other data that lets companies track users as they browse the internet.
GDPR aims to enhance personal privacy rights, requiring that companies take specific measures to ensure the safety of personal data.
It also mandates the implementation of mechanisms for end-users to retrieve, review, correct, or remove their personal data.
Finally, it also requires breach reporting, directing companies that have lost control over customer data, or that’ve been hacked, to notify users within 72 hours.
Although the GDPR laws were passed in May 2018, they haven’t been enforced until recently. The EU privacy watchdog, the European Data Protection Supervisor (EDPS), has started to focus their attention on companies offering services to EU citizens. So despite a timid start, fines are now gathering pace. It is only a matter of time before regulators build up sufficient confidence to enforce GDPR laws more forcefully.
If you want to dive further into GDPR, you may be interested in “GDPR explained for DevOps engineers.”
Why your AWS infrastructure needs to be GDPR compliant?
AWS offers some sort of functionality that will help you accomplish about halfway of being AWS GDPR compliant.
After all, AWS follows a shared responsibility model, so the other half has to be implemented within your service architecture. If you are utilizing AWS as your cloud provider, you have some homework to do.
Amazon Elastic Container Service (ECS) and its Kubernetes version (EKS), Amazon CloudSearch, and Amazon ElasticCache for Memcached are not cleared for encryption — only deletion and monitoring of processing.
Those are the kind of controls that fall on your side.
How Sysdig Secure helps you achieve AWS GDPR compliance
In June 2021, we made curated controls in Sysdig Secure available to help your company be AWS GDPR compliant across your cloud infrastructure.
You can use compliance reports as a proof of compliance for auditors.
Under the Compliance sidebar menu, you’ll find GDPR AWS as one of the compliance standards that Sysdig Secure implements.
This view will help you keep track of your security compliance posture. At a glance, you’ll be able to check how many controls of GDPR AWS you are passing.
And for those that are failing, you can quickly identify remediation actions inside Common fixes.
But sometimes it’s not evident why a control is needed and what steps would help you pass it. That’s the exact information you can find in the detailed explanation under each control.
Compliance is something that evolves constantly. Configuration changes can improve or reduce your compliance status, which is why these reports are scheduled to run on a recurring basis. That way, you can measure your security compliance over time.
But there’s more… GDPR compliance for workloads
In addition, Sysdig Secure also allows you to be GDPR WORKLOAD compliant even if you still have your workloads in your local datacenter.
We take care of kernel system calls, Kubernetes audit logs, host benchmarks, and security features that affect hosts, containers, and Kubernetes clusters.
Understanding the GDPR law and how it affects your AWS infrastructure will help you reduce legal problems and increase competitiveness when offering your services to EU citizens. Remember, we live in a globalized world! Your clients are everywhere on the planet.
Keep in mind that companies found in violation of the law can face very steep fines. The maximum fine for a GDPR violation is 20 million euros, or 4 percent of a company’s annual global revenue from the year before – whichever is higher.