Virtual Machine Classification

  • DSI-01.1: Do you provide a capability to identify data and virtual machines via policy tags/metadata (e.g., tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country)?

AWS provides the ability to tag EC2 resources. A form of metadata, EC2 tags can be used to create user- friendly names, enhance searchability, and improve coordination between multiple users. The AWS Management Console also supports tagging. AWS does not provide hardware to customers but virtual machines are assigned to customers as part of the EC2 service.

Vendor uses tags to provide data center operations team with critical information (e.g. restrict instantiation in specific country based on tag value).

  • DSI-01.2: Do you provide a capability to identify data and hardware via policy tags/metadata/hardware tags (e.g., TXT/TPM, VN-Tag, etc.)?

Not applicable. AWS does not provide hardware to customers but virtual machines are assigned to customers as part of the EC2 service.

Data Inventory / Flows

  • DSI-02.1: Do you inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems?

AWS provides the required documentation and associated data flow diagrams for AWS services Customers determine the design patterns based on their usage of AWS services and associated network and system components.

Customer tenant data is stored in an agreed upon geography. This is documented as part of the customer record. Residency of data for a customer will remain unchanged throughout the data lifecycle unless customer and vendor mutually agree to change data residency.

  • DSI02.2: Can you ensure that data does not migrate beyond a defined geographical residency?

AWS Customers designate in which physical region their content will be located. AWS will not move customers' content from the selected regions without notifying the customer, unless required to comply with the law or requests of governmental entities.

Audit

  • insert AWS biannual audit (check servers for accurate tags etc)

Notes

Need data in Salesforce that allows us to state residency value. SOP should reference setting data residency.