GDPR Compliance Checklist for AWS EC2 - Aspire Institute Tech Team Documentation

Skip to content

Aspire Institute Tech Team Documentation

GDPR Compliance Checklist for AWS EC2

1. Data Governance & Classification

[ ] Identify whether any personally identifiable information (PII) is stored or processed on EC2.
[ ] Classify data based on sensitivity and regulatory requirements.
[ ] Document lawful basis for processing personal data (e.g., consent, contract, legitimate interest).

2. Data Minimization & Purpose Limitation

[ ] Ensure that only necessary personal data is collected.
[ ] Limit EC2 storage and processing to specific, documented purposes.
[ ] Regularly review data stored on EC2 for relevance and compliance.

3. Access Control

[ ] Use IAM roles with least privilege access.
[ ] Disable or restrict SSH access where not needed.
[ ] Enforce multi-factor authentication (MFA) for IAM users with EC2 permissions.
[ ] Rotate credentials (key pairs, access keys) regularly.

4. Encryption

[ ] Enable EBS volume encryption for all instance storage.
[ ] Use AWS KMS with customer-managed keys (CMKs) if stricter key control is required.
[ ] Ensure SSL/TLS encryption in transit for data sent to/from EC2.
[ ] Encrypt all backups and snapshots.

5. Monitoring and Logging

[ ] Enable AWS CloudTrail to log EC2 API calls.
[ ] Enable VPC Flow Logs to monitor network activity.
[ ] Use Amazon CloudWatch for instance performance and system-level logs.
[ ] Retain logs securely with access controls for audits and incident response.

6. Regional Considerations & Data Transfers

[ ] Launch EC2 instances in EU-based regions (e.g., eu-west-1, eu-central-1) if data must stay in the EU.
[ ] Avoid transferring PII outside the EU unless Standard Contractual Clauses (SCCs) or equivalent safeguards are in place.
[ ] Document cross-border transfer justifications and safeguards.

7. Security Hardening

[ ] Regularly patch and update EC2 operating systems and applications.
[ ] Disable unnecessary services and ports.
[ ] Use a host-based firewall (e.g., iptables, ufw) in addition to Security Groups.
[ ] Run vulnerability scans and apply hardening guidelines (e.g., CIS benchmarks).

8. Incident Response & Data Breach Protocols

[ ] Document and rehearse a data breach response plan.
[ ] Use Amazon GuardDuty or third-party IDS/IPS for intrusion detection.
[ ] Set alerts for suspicious EC2 activity (e.g., CPU spikes, new open ports, failed login attempts).

9. Data Subject Rights & Erasure

[ ] Ensure you can retrieve, correct, or delete personal data on EC2 if requested.
[ ] Use tools or scripts to locate and erase PII from instance disks and logs.
[ ] Ensure deleted data is unrecoverable (e.g., zeroed volumes, deleted snapshots).

10. Audit, Documentation, and Contracts

[ ] Maintain an up-to-date data processing inventory for EC2-related activities.
[ ] Execute a Data Processing Addendum (DPA) with AWS (available via AWS Artifact).
[ ] Use AWS Config to track and audit EC2 configuration changes.
[ ] Document all policies and technical controls for GDPR accountability.