At Magick Automation we are committed to security and follow the good practices set out in the European Union’s General Data Protection Regulation (GDPR) which protects the fundamental right to privacy and personal data protection of data owners in the European Union.
To meet the strict requirements that will reinforce and harmonise data protection, security and compliance standards we use RGPD-compliant services from AWS: https://aws.amazon.com/es/blogs/security/all-aws-services-gdpr-ready/
In the following we detail point by point the most important aspects in relation to the databases:
- Automated full encrypted database backups are performed every night and stored in AWS’s S3 service which offers a guaranteed data durability of 99.999999999% as it automatically creates and stores copies of all S3 objects on multiple systems. This means that data is available when needed and protected from errors and threats. Encryption of backups stored in S3 uses the AWS Key Management Service (KMS
- All databases are encrypted at rest using the encryption option available in RDS. The AWS Key Management Service (KMS) is used for encryption. Encrypted data at rest includes the underlying storage of database instances, their automated backups, read mirrors, and snapshots. Encryption uses the industry-standard AES-256 encryption algorithm to encrypt data on the server that hosts Amazon RDS database instances.
- In addition to periodic backups, the RDS restore service allows you to restore a database instance to any given time of day, because RDS saves the transaction records for the database instances on Amazon S3 every 5 minutes. This way it is possible to return to a specific database status (day and time) at any time of day in case it is necessary due to a disaster or incident.
The following describes the KMS service used for data encryption (https://aws.amazon.com/es/kms/):
- The encryption keys are stored in the AWS KMS service which is designed so that no one, including AWS employees, can retrieve the plain text keys from the service. The service uses hardware security modules (HSMs) validated to the FIPS 140-2 standard to protect the confidentiality and integrity of your keys. The keys are never recorded to disk and are only used in the HSM’s volatile memory for the time required to perform the cryptographic operation you requested. The keys created by KMS are never transmitted outside the AWS region in which they were created and can only be used in the region in which they were created. KMS HSM firmware updates are controlled with multi-party access, which is audited and reviewed by an independent group from Amazon, as well as a laboratory accredited by the National Institute of Standards and Technology (NIST), in accordance with FIPS 140-2.
- AWS KMS stores multiple copies of the encrypted versions of the keys in systems designed to provide 99.999999999 % durability to ensure that the keys and data are highly available.
- KMS HSM firmware updates are controlled with multi-party access, which is audited and reviewed by an independent group from Amazon, as well as a laboratory accredited by the National Institute of Standards and Technology (NIST), in accordance with FIPS 140-2.
- The safety and quality controls of AWS KMS are validated and certified by the following conformity schemes.
– AWS Service Organization Controls reports (SOC 1, SOC 2 and SOC 3). You can download a copy of these reports from AWS Artifact.
– PCI DSS Level 1. For more details on PCI DSS compliant AWS services, please read the PCI DSS FAQ.
– ISO 27001. For more details on AWS’s ISO 27001-compliant services, please read the ISO-27001 FAQ.
– ISO 27017. For more details on AWS services in compliance with ISO 27017, please read the ISO-27017 FAQ.
– ISO 27018. For more details on AWS services in compliance with ISO 27018, please read the ISO-27018 FAQ.
– ISO 9001. For more details on AWS’s ISO 9001-compliant services, please read the ISO-9001 FAQ.
– FIPS 140-2. The AWS KMS cryptographic module running firmware version 1.4.4 is validated at FIPS 140-2 level 2 generally with level 3 for several other categories, including physical security. For more details, you can refer to the FIPS 140-2 certificate for AWS KMS HSM along with the associated security policy.
– FedRAMP. More information about FedRAMP compliance can be found at AWS under FedRAMP Compliance.
– HIPAA. For more information, visit the HIPAA Compliance page.