compliance.tf
Compliance FrameworksCore Frameworks

GDPR

Best for: Any organization that processes personal data of EU/EEA residents, regardless of where it is headquartered. A US SaaS company serving EU customers or tracking EU visitor behavior via web analytics falls in scope. Controllers and processors both carry direct liability. No revenue threshold applies, though limited SME derogations exist: Article 30 record-keeping requirements are relaxed for organizations with fewer than 250 employees in specific cases.

Mandatory?Mandatory for any org processing EU/EEA personal data
Who validates?DPA enforcement; no formal certification scheme
RenewalOngoing compliance; no fixed audit cycle
ScopeAny personal data of EU/EEA individuals, regardless of org location

๐Ÿ› European Parliament and Council of the European Union (publisher of Regulation (EU) 2016/679). Consistency guidance is provided by the European Data Protection Board (EDPB), and enforcement is carried out by each EU/EEA Supervisory Authority (e.g., CNIL in France, and BfDI plus regional DPAs in Germany). ยท GDPR (EU 2016/679) Official source โ†’

Get Started

module "..." {
  source  = "gdpr.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Encryption at Rest: Runs controls checking DynamoDB, DAX, API Gateway cache, and CloudTrail log encryption configuration. Validates that KMS CMKs are used rather than default AWS-managed keys where applicable (dynamodb_table_encrypted_with_kms, dax_cluster_encryption_at_rest_enabled, cloudtrail_trail_logs_encrypted_with_kms_cmk).
  • Encryption in Transit: Checks CloudFront distribution viewer protocol policies for HTTPS enforcement and flags ACM certificates expiring within 30 days (cloudfront_distribution_encryption_in_transit_enabled, acm_certificate_expires_30_days).
  • Audit Trail Completeness: Validates CloudTrail is enabled across all regions with read/write events, S3 data events, CloudWatch integration, and log file validation. Covers 10 CloudTrail-related controls that collectively verify a complete audit trail exists.
  • Configuration Monitoring: AWS Config enablement and log delivery are validated across all regions (config_enabled_all_regions, config_configuration_recorder_no_failed_deliver_logs).
  • Storage Access Controls: Verifies that the CloudTrail S3 bucket is not publicly accessible and that S3 bucket access logging is enabled for CloudTrail destinations (cloudtrail_bucket_not_public, cloudtrail_s3_logging_enabled).

What you handle

  • Encryption at Rest: Defining and documenting a key management policy per Article 32. Managing KMS key rotation schedules, key access policies, and cross-account key sharing. Mapping which encryption keys protect which categories of personal data for your Article 30 records of processing.
  • Encryption in Transit: Ensuring TLS is enforced at application layers not covered by these controls (e.g., internal microservice communication, database connections). Documenting minimum TLS version requirements. Managing certificate renewal automation and monitoring.
  • Audit Trail Completeness: Writing and testing breach detection rules based on these logs, and configuring the CloudWatch alarms and incident response workflows that consume them. The 72-hour notification window under Article 33 starts when you become aware of an incident, so detection latency matters. Log retention periods should reflect your supervisory authority's expectations.
  • Configuration Monitoring: Defining AWS Config rules specific to your personal data environment. Reviewing configuration change history during DPIA reviews. Integrating Config findings into your governance, risk, and compliance (GRC) platform.
  • Storage Access Controls: Applying least-privilege IAM policies for all S3 buckets containing personal data. Implementing S3 Object Lock or versioning to prevent unauthorized deletion. Documenting data retention and erasure procedures to meet Article 17 (right to erasure) obligations.

Controls by Category

Audit Logging and Monitoring (Articles 5(2), 30, 33) (3 controls)

GDPR Article 33 requires breach notification within 72 hours, which demands comprehensive logging to detect and investigate incidents. Auditors look for multi-region CloudTrail coverage with both read and write event logging, CloudWatch integration for real-time alerting, and log file validation to prove logs have not been tampered with. Organizations frequently miss S3 data-level event logging, which leaves object-level access to personal data unauditable.

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have log file validation enabled

Encryption at Rest (Article 32 - Security of Processing) (5 controls)

Auditors verify that personal data stored in databases, caches, and log archives is encrypted using customer-managed keys where feasible. Evidence includes KMS key policies, encryption configuration screenshots from the AWS console or CLI output, and documentation showing key ownership. A common finding is DAX or DynamoDB tables using default AWS-owned keys rather than CMKs, which limits the organization's control over key lifecycle and access auditing.

DynamoDB Accelerator (DAX) clusters should be encrypted at restDynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf moduleAPI Gateway stages should have cache encryption at rest enabledCloudTrail trails should have logs encrypted using a customer managed KMS key

Encryption in Transit (Article 32 - Security of Processing) (1 control)

Assessors check that data transmitted over networks is protected via TLS. For CloudFront, this means viewer protocol policies enforce HTTPS. Expired or soon-to-expire ACM certificates get flagged because a lapsed certificate can cause service disruptions that push traffic to unencrypted fallback paths. Evidence includes CloudFront distribution configs and ACM certificate expiry dates.

CloudFront distributions should require encryption in transitcompliance.tf module
Additional Controls (43)

AWS IAM (9)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should require at least one lowercase letterIAM password policies should require at least one numberIAM password policies should require at least one symbolIAM password policies should require at least one uppercase letterIAM password policies should prevent password reuseIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurationsIAM password policies should expire passwords within 90 days or less

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon EBS (2)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EFS (2)

EFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon OpenSearch Service (2)

OpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (8)

RDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (5)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf module

Amazon S3 (3)

S3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have object logging enabled

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SageMaker (3)

SageMaker endpoint configuration encryption should be enabledSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabled

Elastic Load Balancing (4)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf module

Other (2)

ES domain encryption at rest should be enabledElasticsearch domain node-to-node encryption should be enabled

Related Frameworks

NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (55%)

NIST 800-53 Rev 5 covers many of the same technical controls (encryption, logging, access control) but is structured around a federal information systems context. GDPR's emphasis on data subject rights (consent, erasure, portability) has no direct NIST equivalent. The security-of-processing controls in GDPR Article 32 map well to NIST's SC and AU control families.

SOC 2 โ€” ๐ŸŸก Medium overlap (45%)

SOC 2 Trust Services Criteria for Security and Confidentiality partially overlaps with GDPR Articles 5(1)(f) and 32. SOC 2 does not address data subject rights, lawful basis for processing, or cross-border transfer mechanisms. Organizations often pursue both, using SOC 2 to satisfy customer due diligence and GDPR to satisfy regulatory obligations.

ISO 27001 โ€” ๐ŸŸข High overlap (60%)

ISO 27001 Annex A controls map closely to GDPR Article 32 technical measures. ISO 27701 extends 27001 specifically for privacy management and maps directly to GDPR obligations. An existing ISO 27001 certification covers a significant portion of GDPR's security requirements but leaves gaps around lawful basis, consent management, and data subject access requests.

Frequently Asked Questions

Does GDPR apply to my company if we have no offices in the EU?
Yes, if you process personal data of individuals in the EU. Article 3(2) extends GDPR's reach to any organization offering goods or services to EU residents or monitoring their behavior, regardless of where the organization is established. A US company running a website that accepts EU customers or uses analytics tracking on EU visitors falls in scope.
What does GDPR compliance certification look like? Is there a formal audit like SOC 2?
There is no single formal certification audit. Article 42 allows for approved certification mechanisms (such as EuroPriSe or CNIL's certification), but these are voluntary and narrow in scope. Most organizations demonstrate compliance through a combination of internal audits, Data Protection Impact Assessments (Article 35), maintained records of processing (Article 30), and documented technical and organizational measures. Supervisory authorities can request evidence of these at any time.
How do these AWS infrastructure controls relate to GDPR requirements?
GDPR Article 32 requires 'appropriate technical and organisational measures' including encryption of personal data and the ability to ensure ongoing confidentiality, integrity, and availability of processing systems. The controls mapped here cover encryption at rest and in transit, audit logging, and configuration monitoring: the infrastructure security layer. They do not cover GDPR's legal and procedural requirements: lawful basis for processing (Article 6), consent management (Article 7), data subject rights (Articles 15 through 22), Data Protection Officer appointment (Article 37), or cross-border transfer mechanisms (Chapter V).
What are the actual fine amounts and how are they calculated?
Article 83 defines two tiers. Tier 1 violations (e.g., failing to maintain records of processing) carry fines up to EUR 10 million or 2% of annual global turnover, whichever is higher. Tier 2 violations (e.g., violating data subject rights or transfer rules) carry fines up to EUR 20 million or 4% of annual global turnover. Supervisory authorities consider factors including the nature and severity of the infringement, whether it was intentional, mitigation steps taken, and prior history. In practice, fines have ranged from a few thousand euros for small companies to EUR 1.2 billion (Meta, 2023, by the Irish DPC for unlawful data transfers).
How long does it take to implement GDPR compliance from scratch?
It depends on the organization's size, data processing complexity, and existing security posture. A small SaaS company with a modern AWS setup and existing SOC 2 controls might need 3 to 6 months to address the legal and procedural gaps (privacy notices, DPIA process, data subject request workflows, vendor DPAs). A large enterprise with legacy systems and complex data flows across multiple jurisdictions can take 12 to 18 months. The infrastructure controls checked by compliance.tf can be remediated in days to weeks; the legal, organizational, and process requirements take considerably longer.

ISO/IEC 27001:2022

Previous Page

NIS2 Directive (EU 2022/2555)

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAudit Logging and Monitoring (Articles 5(2), 30, 33) (3)Encryption at Rest (Article 32 - Security of Processing) (5)Encryption in Transit (Article 32 - Security of Processing) (1)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page