AWS Privacy Reference Architecture (AWS PRA)

The AWS SRA focuses primarily on helping build your baseline security architecture on AWS across a multi-account environment. AWS also publishes additional security reference architectures, such as the AWS Privacy Reference Architecture (AWS PRA), that are customized for specific application types or help meet regulatory or compliance requirements.

Applications that process personal data must support broad privacy compliance requirements such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or the Brazilian General Data Protection Law (LGPD). If you are handling such an application on AWS, you need to make decisions about people, processes, and technology design to preserve privacy. The AWS PRA provides a set of guidelines that are specific to the design and configuration of privacy controls in AWS services. These controls include capabilities for data minimization, encryption, and pseudonymization. The AWS PRA also describes controls that help preserve privacy when sharing and processing data. The AWS PRA guide helps you start designing and building a foundation that supports privacy in the AWS Cloud. It includes key considerations, best practices, overviews of privacy-related AWS services and features, and configuration examples.

AWS PRA is built on the baseline security architecture, as provided by the AWS SRA design guidance. In order to establish privacy controls, the AWS PRA uses many of the same key AWS services as the AWS SRA and assumes many of the same foundational guidelines and account structure that are described in the AWS SRA. We recommend that you review the AWS SRA design guidance before reviewing the AWS PRA.