EU GMP Annex 11
Best for: Pharmaceutical manufacturers, CMOs, and CROs operating computerized systems in EU GMP-regulated facilities. If you manufacture medicinal products for the EU market, or export finished products or APIs to EU member states, Annex 11 applies to every computerized system involved in manufacturing, quality control, and batch release. No company size or revenue threshold applies.
🏛 European Commission, published within EudraLex Volume 4 (EU Guidelines for Good Manufacturing Practice). Enforcement is carried out by national competent authorities (e.g., MHRA in the UK pre-Brexit, BfArM/ZLG in Germany, ANSM in France) and coordinated through the European Medicines Agency (EMA). · EU GMP Annex 11 (2011) Official source →
Get Started
module "..." {
source = "eugmpannex11.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Trail Completeness: Seven CloudTrail controls verify regional coverage, read/write event capture, S3 object-level logging, and security trail configuration. Together they map directly to the system-generated audit trail requirements in Annex 11 Section 9.
- Encryption at Rest: Five controls check encryption on API Gateway caches, backup recovery points, CloudTrail log files, CodeBuild artifacts, and CodeBuild S3 logs, with KMS customer-managed key usage validated where applicable.
- Encryption in Transit: Two controls confirm that CloudFront distributions enforce encryption to custom origins and reject deprecated SSL protocols (SSLv3, TLSv1.0).
- Backup and Recovery: Three controls confirm that backup plans meet 35-day minimum retention, recovery points are not prematurely expired, and manual deletion of recovery points is disabled.
- Configuration Management: Validates that AWS Config is enabled in all regions and that the configuration recorder delivers logs without failure.
What you handle
- Audit Trail Completeness: Identify which S3 buckets contain GMP-relevant data. Write the audit trail review procedure, train QA staff on it, and document the scope rationale in your validation records.
- Encryption at Rest: Key management procedures, rotation schedules, IAM-based key access restrictions, and a documented encryption strategy tied to your system risk assessment per Annex 11 Section 1.
- Encryption in Transit: Application-layer communications, VPN tunnels, and data exchange interfaces with contract partners fall outside this benchmark. Document permitted cryptographic protocols in your system security policy.
- Backup and Recovery: Periodic restoration testing and documentation per Section 7.2. Confirm retention periods match your product-specific requirements, which may exceed 35 days for products with long shelf lives. Maintain a business continuity plan per Section 16.
- Configuration Management: Build a formal change control procedure per Section 10 that integrates AWS Config data into your change assessment process. Document configuration baselines for validated systems and complete impact assessments before changes are approved.
Controls by Category
Audit Trail (Section 9) (1 control)
Incomplete audit trail coverage is the most common Annex 11 finding in cloud environments. Section 9 requires a system-generated record of all GMP-relevant changes and deletions, capturing who changed what, when, the old and new values, and why. Missing S3 object-level logging or gaps in multi-region trail coverage leaves no traceable history for GMP-critical data stores, which inspectors will flag as a direct deficiency.
Data Integrity and Encryption at Rest (Sections 7.1, 7.2) (4 controls)
When examining cloud-hosted validated systems, inspectors ask to see evidence that stored data is protected with customer-managed keys, not default service encryption. Sections 7.1 and 7.2 require controls that maintain data integrity throughout the retention period, which extends to backups and log archives. Build artifacts and cached API responses are frequently overlooked gaps that surface during inspection.
Data Storage and Business Continuity (Sections 7.2, 16) (1 control)
Expect requests for backup retention policy documentation, restoration test records, and confirmation that backup data cannot be manually deleted or tampered with. Section 7.2 requires regular backups with integrity checks and restoration capability; Section 16 requires business continuity arrangements. A 35-day minimum retention aligns with typical batch review and release timelines, but validate this period against your own product lifecycle requirements.
Monitoring and Incident Management (Section 13) (1 control)
The first thing an assessor checks here is whether alarms actually do something. Section 13 requires incident reporting, assessment, and root cause identification. A CloudWatch alarm with no configured action is invisible to your incident management process and provides no defensible evidence during inspection.
Additional Controls (40)
AWS Secrets Manager (1)
AWS Step Functions (1)
Amazon CloudWatch Logs (1)
Amazon DynamoDB (3)
compliance.tf module DynamoDB table should have encryption enabled compliance.tf module DynamoDB table point-in-time recovery should be enabled compliance.tf module Amazon DynamoDB Accelerator (1)
Amazon EBS (2)
compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (1)
Amazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon EKS (1)
Amazon ElastiCache (1)
Amazon Kinesis (1)
Amazon OpenSearch Service (3)
compliance.tf module OpenSearch domains should use HTTPS compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (3)
compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Amazon Redshift (4)
compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Amazon S3 (8)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets should have lifecycle policies configured compliance.tf module S3 bucket MFA delete should be enabled compliance.tf module S3 buckets object logging should be enabledS3 buckets with versioning enabled should have lifecycle policies configured compliance.tf module S3 bucket versioning should be enabled compliance.tf module Amazon SNS (1)
Amazon SageMaker (3)
Elastic Load Balancing (2)
compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module Other (1)
Related Frameworks
Frequently Asked Questions
Does Annex 11 apply to cloud-hosted systems, or only on-premise infrastructure?
Annex 11 applies to any computerized system used in GMP operations regardless of hosting model. Cloud-hosted systems (AWS, Azure, GCP) fall fully within scope. Section 3.4 explicitly addresses the use of service providers, requiring a formal agreement defining responsibilities and the ability for the regulated company to audit or inspect the provider. In practice, your cloud landing zone configuration, encryption settings, and logging are all subject to inspection.
How does Annex 11 enforcement differ from a certification audit like ISO 27001?
There is no Annex 11 certification. Compliance is assessed during routine GMP inspections by national competent authorities. Inspectors review your computerized system inventory, validation documentation, audit trail configurations, and data integrity controls as part of the broader GMP inspection. Non-compliance findings are recorded as GMP deficiencies (critical, major, or other) and can result in warning letters, restricted or suspended manufacturing licenses, or product recalls.
What is the relationship between Annex 11 and GAMP 5?
Annex 11 is the regulation. GAMP 5 (Good Automated Manufacturing Practice) is an industry guidance document published by ISPE that provides a risk-based approach to achieving compliance with Annex 11 and 21 CFR Part 11. It categorizes software into categories (1, 3, 4, 5) to scale validation effort proportionally. Regulators reference GAMP 5 frequently, but it carries no legal force on its own.
How do the 20 AWS controls in this benchmark map to Annex 11 sections?
The controls map primarily to five Annex 11 sections. Section 9 (Audit Trails) is covered by CloudTrail controls. Sections 7.1 and 7.2 (Data Storage and Integrity) map to encryption-at-rest and backup controls. Section 12.1 (Security) maps to encryption-in-transit controls. Section 10 (Change and Configuration Management) maps to AWS Config controls. Section 13 (Incident Management) maps to CloudWatch alarm controls. These are infrastructure-level checks. Application-layer validation, SOPs, and user access management require separate assessment.
Is a 35-day backup retention period sufficient for Annex 11 compliance?
It depends on the data type and product lifecycle. Annex 11 Section 7.2 requires backups at regular intervals but does not prescribe a specific retention period. EU GMP Chapter 4 requires batch documentation to be retained for at least one year after expiry of the batch, which can mean 5 or more years for some products. The 35-day minimum in these controls is a baseline for operational recovery, not a substitute for long-term archival retention. Define retention periods based on your own risk assessment and product portfolio.