π‘οΈ Data Compliance on AWS
Master HIPAA, GDPR, SOC2 compliance and data governance frameworks.
Module: AWS Data Engineering β’ Topic 35 of 65 β’ Premium Content
Compliance Framework
Architecture Diagram
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β COMPLIANCE FRAMEWORKS β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β HIPAA (Healthcare) β β
β β β’ PHI encryption at rest and in transit β β
β β β’ Access controls and audit trails β β
β β β’ BAA with AWS β β
β β β’ Use HIPAA-eligible services β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β GDPR (EU Privacy) β β
β β β’ Data residency in EU β β
β β β’ Right to erasure (forget) β β
β β β’ Data portability β β
β β β’ Consent management β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β SOC 2 β β
β β β’ Security, Availability, Processing Integrity β β
β β β’ Confidentiality, Privacy β β
β β β’ AWS compliance reports via Artifact β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β PCI DSS (Payment Card) β β
β β β’ Cardholder data encryption β β
β β β’ Network segmentation β β
β β β’ Regular security testing β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
AWS Compliance Services
# Enable AWS Config for compliance monitoring
config = boto3.client('config')
# HIPAA: Check encryption
config.put_config_rule(
ConfigRule={
'ConfigRuleName': 'rds-encrypted',
'Source': {
'Owner': 'AWS',
'SourceIdentifier': 'RDS_STORAGE_ENCRYPTED'
}
}
)
# GDPR: Check S3 public access
config.put_config_rule(
ConfigRule={
'ConfigRuleName': 's3-bucket-public-read-prohibited',
'Source': {
'Owner': 'AWS',
'SourceIdentifier': 'S3_BUCKET_PUBLIC_READ_PROHIBITED'
}
}
)
# CloudTrail for audit
cloudtrail = boto3.client('cloudtrail')
cloudtrail.create_trail(
Name='compliance-audit-trail',
S3BucketName='audit-logs-bucket',
IsMultiRegionTrail=True,
IncludeGlobalServiceEvents=True
)
cloudtrail.start_logging(Name='compliance-audit-trail')
Interview Q&A
Q1: What are HIPAA-eligible AWS services?
Answer: S3, Redshift, RDS, EMR, Glue, Lambda, and many more. See AWS HIPAA Eligible Services Reference for the full list.
Q2: How does GDPR affect data architecture?
Answer: Requires data residency in EU, right to erasure capability, data portability, and consent tracking. Use EU regions and implement data retention policies.
Q3: What is a BAA?
Answer: Business Associate Agreement is a contract between AWS and healthcare organizations, ensuring HIPAA compliance for handling PHI.
Summary
- HIPAA: PHI encryption, access controls, BAA with AWS
- GDPR: EU data residency, right to erasure, consent management
- SOC 2: Security controls, audit evidence, AWS Artifact reports
- PCI DSS: Cardholder data encryption, network segmentation
- Tools: Config rules, CloudTrail, Macie, GuardDuty