Benchmark: Article 32 Security of processing
To obtain the latest version of the official guide, please visit https://gdpr-info.eu/art-32-gdpr/.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Article 32 Security of processing.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.article_32Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.article_32 --shareControls
- ACM certificates should not expire within 30 days
- API Gateway stage cache encryption at rest should be enabled
- CloudFront distributions should require encryption in transit
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- DynamoDB Accelerator (DAX) clusters should be encrypted at rest
- DynamoDB table should be encrypted with AWS KMS
- DynamoDB table should have encryption enabled
- Attached EBS volumes should have encryption enabled
- EBS volume encryption at rest should be enabled
- EFS file system encryption at rest should be enabled
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- ES domain encryption at rest should be enabled
- Elasticsearch domain node-to-node encryption should be enabled
- Log group encryption at rest should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB instances should be in a backup plan
- Database logging should be enabled
- RDS DB snapshots should be encrypted at rest
- AWS Redshift clusters should have automatic snapshots enabled
- Redshift cluster encryption in transit should be enabled
- Redshift cluster audit logging and encryption should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 buckets should enforce SSL
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instance encryption should be enabled
- SNS topics should be encrypted at rest
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)