GDPR group of checks
toniblyx opened this issue · 1 comments
Based on this public document:
https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf I have identified the checks below (some of them are more than a single check), and most of them are already implemented. Still thinking on the list, any help/feedback is more than welcomed here:
Data Access Controls
-Fine granular access to AWS object in S3-Buckets: extra718
and extra725
-Fine granular access to SQS: extra727
-Fine granular access to SNS: extra731
-Multi-Factor-Authentication (MFA): check12
, check113
, check114
, extra71
-API-Request Authentication: this is about AWS API, entire IAM group1
may apply
-Geo-Restrictions (CloudFront): extra732
-Temporary access tokens through STS: extra733
, probably a query to see if identity federation is configured?
Monitoring and Logging
-Asset-Management and Configuration with AWS Config: check25
, check39
,
-Compliance Auditing and security analytics with AWS CloudTrail: check21
, check22
, check23
, check24
, check26
,check27
,check35
-Identifications of configuration challenges through TrustedAdvisor extra726
show TA errors and warnings.
-Server access logs: this should be instances log? we can add service logs like extra714
,extra715
,extra717
,extra719
,extra720
,extra721
,extra722
-VPC-FlowLogs: check43
-AWS Config Rules: check25
already
-Filter and monitoring of HTTP access to applications with WAF functions in CloudFront: extra714
already
Protecting your Data on AWS
-Encryption of your data at rest with AES256 EBS extra729
-Encryption of your data at rest with AES256 S3 extra734
-Encryption of your data at rest with AES256 RDS extra735
-Centralized (by Region) managed Key-Management extra736
-IPsec tunnels into AWS with the VPN-Gateways. This is a security best practice, not an actual check.
-Dedicated HSM modules in the cloud with CloudHSM. This one may depend on each case, not an actual check
Included in v2.0