GDPR 2016 - AWS Audit Manager

What is the GDPR?Using this framework Next steps Additional resources

AWS Audit Manager provides a prebuilt standard framework that supports the General Data Protection Regulation (GDPR) 2016.

This framework contains only manual controls. These manual controls don't collect evidence automatically. However, if you want to automate evidence collection for some controls under GDPR, you can use the custom control feature in Audit Manager. For more information, see Using this framework.

The GDPR is a European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC. It's intended to harmonize data protection laws throughout the European Union (EU). It does this by applying a single data protection law that's binding throughout each EU member state.

The GDPR applies to all organizations that are established in the EU and to organizations (no matter whether they were established in the EU) that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information that relates to an identified or identifiable natural person.

You can find the GDPR framework in the framework library page of Audit Manager. For more information, see the General Data Protection Regulation (GDPR) Center.

You can use the GDPR 2016 framework in Audit Manager to help you prepare for audits.

The framework details are as follows:

Framework name in AWS Audit Manager	Number of automated controls	Number of manual controls	Number of control sets
General Data Protection Regulation (GDPR) 2016	0	378	10

This standard framework contains manual controls only.

Note

If you want to automate evidence collection for GDPR, you can use Audit Manager to create your own custom controls for GDPR. The following table provides recommendations on the AWS data sources that you can map to GDPR requirements in your custom controls. Although some of the following data sources are mapped to multiple controls, keep in mind that you're charged only once for each resource assessment.

The following recommendations use AWS Config and AWS Security Hub as data sources. To successfully collect evidence from these data sources, make sure that you followed the instructions to enable and set up AWS Config and AWS Security Hub in your AWS account. After you've set up both services in this way, Audit Manager collects evidence each time an evaluation occurs for the specified AWS Config rule or Security Hub control.

Control name	Control set	Recommended control data source mapping
Article 25 Data protection by design and by default.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY Choose AWS Security Hub as the data source type, and select the following Security Hub controls as data source mappings: 1.1 (CloudWatch.1) 1.1 (IAM.20) 1.10 (IAM.16) 1.11 (IAM.17) 1.12 (IAM.4) 1.13 (IAM.9) 1.14 (IAM.6) 1.16 (IAM.2) 1.2 (IAM.5 1.20 (IAM.18) 1.22 (IAM.1 1.3 (IAM.8) 1.4 (IAM.3) 1.5 (IAM.11) 1.6 (IAM.12) 1.7 (IAM.13) 1.8 (IAM.14) 1.9 (IAM.15) 2.1 (CloudTrail.1) 2.2 (CloudTrail.4) 2.3 (CloudTrail.6) 2.4 (CloudTrail.5) 2.5 (Config.1) 2.6 (CloudTrail.7) 2.7 (CloudTrail.2) 2.8 (KMS.4) 2.9 (EC2.6) 3.1 (CloudWatch.2) 3.10 (CloudWatch.10) 3.11 (CloudWatch.11) 3.12 (CloudWatch.12) 3.13 (CloudWatch.13) 3.14 (CloudWatch.14) Config.1
Article 25 Data protection by design and by default.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY Choose AWS Security Hub as the data source type, and select the following Security Hub controls as data source mappings: 1.1 (CloudWatch.1) 1.1 (IAM.20) 1.10 (IAM.16) 1.11 (IAM.17) 1.12 (IAM.4) 1.13 (IAM.9) 1.14 (IAM.6) 1.16 (IAM.2) 1.2 (IAM.5 1.20 (IAM.18) 1.22 (IAM.1 1.3 (IAM.8) 1.4 (IAM.3) 1.5 (IAM.11) 1.6 (IAM.12) 1.7 (IAM.13) 1.8 (IAM.14) 1.9 (IAM.15) 2.1 (CloudTrail.1) 2.2 (CloudTrail.4) 2.3 (CloudTrail.6) 2.4 (CloudTrail.5) 2.5 (Config.1) 2.6 (CloudTrail.7) 2.7 (CloudTrail.2) 2.8 (KMS.4) 2.9 (EC2.6) 3.1 (CloudWatch.2) 3.10 (CloudWatch.10) 3.11 (CloudWatch.11) 3.12 (CloudWatch.12) 3.13 (CloudWatch.13) 3.14 (CloudWatch.14) Config.1
Article 25 Data protection by design and by default.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY Choose AWS Security Hub as the data source type, and select the following Security Hub controls as data source mappings: 1.1 (CloudWatch.1) 1.1 (IAM.20) 1.10 (IAM.16) 1.11 (IAM.17) 1.12 (IAM.4) 1.13 (IAM.9) 1.14 (IAM.6) 1.16 (IAM.2) 1.2 (IAM.5 1.20 (IAM.18) 1.22 (IAM.1 1.3 (IAM.8) 1.4 (IAM.3) 1.5 (IAM.11) 1.6 (IAM.12) 1.7 (IAM.13) 1.8 (IAM.14) 1.9 (IAM.15) 2.1 (CloudTrail.1) 2.2 (CloudTrail.4) 2.3 (CloudTrail.6) 2.4 (CloudTrail.5) 2.5 (Config.1) 2.6 (CloudTrail.7) 2.7 (CloudTrail.2) 2.8 (KMS.4) 2.9 (EC2.6) 3.1 (CloudWatch.2) 3.10 (CloudWatch.10) 3.11 (CloudWatch.11) 3.12 (CloudWatch.12) 3.13 (CloudWatch.13) 3.14 (CloudWatch.14) Config.1
Article 30 Records of processing activities.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUDTRAIL_SECURITY_TRAIL_ENABLED REDSHIFT_CLUSTER_CONFIGURATION_CHECK CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping: Config.1
Article 30 Records of processing activities.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping: Config.1
Article 30 Records of processing activities.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping: Config.1
Article 30 Records of processing activities.4	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping: Config.1
Article 30 Records of processing activities.5	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Choose AWS Security Hub as the data source type, and select the following Security Hub control as a data source mapping: Config.1
Article 32 Security of processing.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that are not Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.4	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you set up the control data sources, we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED

After you create your new custom controls for GDPR, you can add them to a custom GDPR framework. You can then create an assessment from the custom GDPR framework. This way, Audit Manager can collect evidence automatically for the custom controls that you added.

For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see Reviewing a framework in AWS Audit Manager.

For instructions on how to create an assessment using this framework, see Creating an assessment in AWS Audit Manager.

For instructions on how to customize this framework to support your specific requirements, see Making an editable copy of an existing framework in AWS Audit Manager.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

FedRAMP Security Baseline Controls r4

GLBA