GDPR¶

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that regulates how personal data of individuals within the European Union can be collected, processed, and stored. Enforced since May 2018, GDPR applies to all organizations that process personal data of EU residents regardless of where the organization is located. Non-compliance can result in significant fines up to 4% of annual global turnover or EUR20 million, whichever is greater.

Terraform Registry Subdomain: gdpr¶

module "..." {
  source  = "gdpr.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://gdpr.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• API Gateway stage cache encryption at rest should be enabled
• CloudFront distributions should require encryption in transit
• CloudTrail trails should be integrated with CloudWatch logs
• CloudTrail trail logs should be encrypted with KMS CMK
• CloudTrail trail log file validation should be enabled
• DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• DynamoDB table should be encrypted with AWS KMS
• DynamoDB table should have encryption enabled
• Attached EBS volumes should have encryption enabled
• EBS volume encryption at rest should be enabled
• EFS file system encryption at rest should be enabled
• ELB application and classic load balancer logging should be enabled
• ELB application load balancers should be configured to drop HTTP headers
• Application Load Balancer should be configured to drop invalid http headers
• ES domain encryption at rest should be enabled
• Elasticsearch domain node-to-node encryption should be enabled
• Ensure IAM password policy requires a minimum length of 14 or greater
• Ensure IAM password policy requires at least one lowercase letter
• Ensure IAM password policy requires at least one number
• Ensure IAM password policy requires at least one symbol
• Ensure IAM password policy requires at least one uppercase letter
• Ensure IAM password policy prevents password reuse
• IAM password policies for users should have strong configurations
• Ensure IAM password policy expires passwords within 90 days or less
• KMS CMK rotation should be enabled
• Log group encryption at rest should be enabled
• RDS DB instance encryption at rest should be enabled
• Database logging should be enabled
• AWS Redshift clusters should have automatic snapshots enabled
• Redshift cluster encryption in transit should be enabled
• Redshift cluster audit logging and encryption should be enabled
• S3 bucket default encryption should be enabled
• S3 bucket default encryption should be enabled with KMS
• SageMaker endpoint configuration encryption should be enabled
• SageMaker notebook instance encryption should be enabled
• SNS topics should be encrypted at rest

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with GDPR compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://gdpr.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=apigateway_stage_cache_encryption_at_rest_enabled,cloudfront_distribution_encryption_in_transit_enabled"
}