Automate checks of your AWS environment for GDPR compliance

In this article, we will cover a few of the AWS initiatives to help you ensure GDPR compliance, its “shared responsibility model,” and how you can easily take a proactive approach to ensuring audit-ready GDPR compliance for your own AWS environment.

GDPR in a Nutshell

The General Data Protection Regulation (GDPR) became enforceable under EU law on 25 May 2018, replacing the EU Data Protection Directive.

As an EU regulation, it applies to the personal data of EU citizens. Therefore, it is a regulation that applies to any organization that processes or stores the personal information of EU citizens, regardless of where that organization is located. This includes organizations outside the EU that offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU.

Other regions outside the EU are also adopting this regulation – for example New Zealand, where similar regulation is expected to come into effect on December 1st, 2020.

Record Fines for GDPR Violation

In the first two years since GDPR compliance enforcement went into effect, there have been a total of 391 cases made public in which authorities have raised fines against both private companies and public organizations. Penalty amounts are influenced by various factors, such as the severity of the incident, the number of compromised data sets, and the annual global financial turnover of the organization. Reported fines have ranged from multiple thousands of euros to multiple hundreds of millions.

In a 2019 case, British Airways had to pay a staggering 204.6 million euros in an incident that compromised personal data of around 500,000 customers. British authorities stated that the main cause for the GDPR infringement was: "Insufficient technical and organisational measures to ensure information security." Among other things, insufficient security processes were discovered relating to user address, log in, payment card, and travel booking details.

Out of the reported cases since 2018, GDPR violations caused by breaches of articles 25 and 32 alone total 97 of those cases. Fines for infringements of just those two articles together average at 7.07 million euros and total an amount of 395.3 million euros paid in fines within the last two years. (Source: https://www.enforcementtracker.com)

In addition to GDPR articles 25 and 32, article 30 is highly relevant for the shared responsibility part of the AWS cloud compliance model.

Runecast has addressed these and other GDPR articles by providing fully automatic compliance checks to help fulfill the AWS customer’s responsibilities for GDPR compliance on the AWS cloud.

Amazon (AWS) and GDPR compliance

As we wrote when we launched automated intelligence capabilities for Amazon Web Services (AWS) in December 2019:

“With AWS adoption comes a complex new level of configurations, storage expansion, and other chances where AWS-related issues can devolve into downtime. AWS users often don’t have control of the way that the provider is managing the environment and have no way to know how this is happening. In some cases, downtime is not the only detriment, as misconfigurations can lead to low performance and higher costs even in an uptime scenario.

Whereas complying with common security guidelines is important for almost every VMware environment, securing your AWS infrastructure becomes essential with AWS being an ever-growing target for cyber-criminality. Despite Amazon doing a lot for security from the AWS side, admins can be overwhelmed at trying to secure the AWS infrastructure on their own end.”

Pain points for IT System Admins regarding GDPR compliance on AWS can be seen in the responses to a GDPR implementation survey carried out by Ponemon Institute which involved 1,263 responding organizations: 

  • 54% of respondent organizations said GDPR implementation took longer than they had anticipated. 
  • Only 18% of respondents were highly confident in their organizations’ ability to communicate a reportable data breach to the relevant regulators within 72 hours of becoming aware of the event—seen by 70 percent of respondents as the main GDPR security requirement they should principally address.
  • Almost half of reportable breaches were caused by negligent insiders, followed by outsourcing data to a third party and cyber-attacks. However, some 35 percent of respondents reported they did not know what caused the breach.

Source: https://iaasacademy.com/aws-certified-solutions-architect-associate-exam/aws-shared-security-mode-and-gdpr-amazon-web-services/



AWS users share in the responsibility toward GDPR compliance

AWS data protection initiatives toward GDPR compliance are numerous and comprehensive, but AWS users still share in the responsibility. Realizing the growing complexity of securing hybrid and cloud-based environments, AWS has set up a GDPR Center to help guide IT System Admins in their quest for compliance, and AWS responsibility covers such areas as physical security and data center operations.

Furthermore, AWS complies with the Cloud Infrastructure Service Providers in Europe (CISPE) Code of Conduct. The rules of CISPE aid in ensuring that cloud providers have the data protection policies and controls in place to also be compliant with GDPR.

However, while AWS does much on its side to cover GDPR compliance issues, it also rests on organizations that are using AWS to share in the responsibility.

Note that compliance certifications granted to AWS cover only the AWS part of the shared responsibility. Where AWS users’ responsibility comes into play would include, for example, properly securing virtual networks and EC2 instances running within AWS.

An AWS presentation on GDPR states that “Customers are responsible for their security and compliance IN the cloud. AWS is responsible for the security OF the cloud.”

AWS attempts to segment services by region, but it’s quite possible to accidentally violate GDPR compliance due to some global services going across sovereign borders. DynamoDB and Amazon S3, for example, have cross-region replication features.

One of the handiest overviews that AWS has provided is this service capabilities chart for encryption, deletion, and monitoring of processing with regard to GDPR.

In its official presentation on GDPR (linked above), AWS recommends four key categories of GDPR Compliance Tools:

  • Data Access Control
  • Monitoring of Access Activities
  • Data Encryption
  • Strong Compliance Framework

The last category is certainly where Runecast Analyzer comes into play, taking away the all-around pains of a reactive approach.

Achieving a strong GDPR compliance framework for AWS

As with any standards, it can happen that even if you're doing your best to manually achieve security compliance, it’s not possible to keep track of all updates and changes in your environment – and to the standard – at the same time.
Runecast Analyzer (since v4.4.4.0 launched 11 September 2020) helps you do this proactively by automating checks against AWS best practices and GDPR compliance for AWS in your own environment, so you can ensure compliance without spending hours and days on manual checks.


Runecast Analyzer enables automated compliance checks according to both the AWS guide Navigating GDPR Compliance on AWS (October 2019) and GDPR Chapter 4 (Art. 24-43) Controller and Processor articles.

Runecast’s automated GDPR compliance checks for AWS enable a proactive approach to compliance, rather than firefighting only after a breach has been brought to light.




Get a free 14-day trial of Runecast

Try Runecast Analyzer’s secure, on-premises cloud transparency in your AWS environment free for 14 days.

Download Free Trial
About the Author | Jason Mashak

Jason heads the communications team at Runecast. Previously he served in roles that included sales, business development, and marketing in the security industry for both B2C and B2B firms. For numerous reasons, he very much prefers working for smaller companies. He has a Master’s in Education and enjoys playing guitar and time with his family. Find him on Twitter: @jasonmashak.