Life Sciences

Amazon Web Services Navigating GDPR Compliance on AWS 19 Protecting your Data on AWS Article 32 of the GDPR requires that organizations must "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including …the pseudonymisation and encryption of personal data…". In addition, organizations must safeguard against the unauthorized disclosure of or access to personal data. Encryption reduces the risks associated with the storage of personal data because data is unreadable without the correct key. A thorough encryption strategy can help mitigate the impact of various security events, including some security breaches. Encrypt Data at Rest Encrypting data at rest is vital for regulatory compliance and data protection. It helps to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. AWS provides multiple options for encryption at rest and encryption key management. For example, you can use the AWS Encryption SDK with a customer master key (CMK) created and managed in AWS Key Management Service (AWS KMS) to encrypt arbitrary data. Encrypted data can be securely stored at rest and can be decrypted only by a party with authorized access to the CMK. As a result, you get confidential envelope-encrypted data, policy mechanisms for authorization and authenticated encryption, and audit logging through AWS CloudTrail. Some of the AWS foundation services have built-in encryption at rest features, providing the option to encrypt data before it is written to non-volatile storage. For example, you can encrypt Amazon Elastic Block Store (Amazon EBS) volumes and configure Amazon Simple Storage Service (Amazon S3) buckets for server-side encryption (SSE) using AES-256 encryption. Amazon Relational Database Service (Amazon RDS) also supports Transparent Data Encryption (TDE). Another method for encrypting data on Linux EC2 instance stores is using built-in Linux libraries. This method encrypts files transparently, which protects confidential data. As a result, applications that process the data are unaware of the disk-level encryption. You can use two methods to encrypt files on instance stores. The first method is disk encryption, in which the entire disk, or block within the disk, is encrypted using one or more encryption keys. Disk encryption operates below the file-system level, is operating-system agnostic, and hides directory and file information, such as name and

• Cover
• Abstract
• General Data Protection Regulation Overview
• Changes the GDPR Introduces to Organizations Operating in the EU
• AWS Preparation for the GDPR
• AWS Data Processing Addendum (DPA)
• The Role of AWS Under the GDPR
• AWS as a Data Processor
• AWS as a Data Controller
• Shared Security Responsibility Model
• Strong Compliance Framework and Security Standards
• AWS Compliance Program
• Cloud Computing Compliance Controls Catalog
• The CISPE Code of Conduct
• Data Access Controls
• AWS Identity and Access Management
• Temporary Access Tokens Through AWS STS
• Multi-Factor-Authentication
• Access to AWS Objects Resources
• Access to Operational & Configuration Data
• Geo-Restrictions
• Control Access to Web Applications and Mobile Apps
• Monitoring and Logging
• Manage and Configure Assets with AWS Config
• Compliance Auditing & Security Analytics with AWS CloudTrail
• Log Formats
• Centralized Security Management
• Protecting your Data on AWS
• Encrypt Data at Rest
• Encrypt Data in Transit
• Encryption Tools
• AWS Key Management Service
• AWS Service Integration
• Audit Capabilities
• Security
• AWS CloudHSM
• Integration with AWS Services and Third-Party Applications
• Audit Activities
• AWS Cryptographic Services and Tools
• Linux DM-Crypt Infrastructure
• Data Protection by Design & by Default
• How AWS Can Help
• Contributors
• Document Revisions