India’s Digital Personal Data Protection Act 2023 requires organisations to implement “reasonable security safeguards” to protect personal data. For Indian enterprises running workloads on AWS, this obligation lands squarely in your hands — not AWS’s.
AWS operates under a shared responsibility model: AWS is responsible for the security of the cloud (physical infrastructure, hypervisor, networking). You are responsible for security in the cloud — how you configure IAM, what encryption settings you enable, and whether you monitor for breaches.
Data Residency: Keep Indian Data in India
AWS has two regions in India:
- Asia Pacific (Mumbai) — ap-south-1: AWS’s original Indian region, operational since 2016
- Asia Pacific (Hyderabad) — ap-south-2: Launched in 2022, providing a second Indian region for multi-AZ architectures entirely within India
Use AWS Service Control Policies (SCPs) to restrict resource creation to Indian regions, preventing accidental deployment of personal data workloads to non-Indian regions.
Amazon Macie: Discover Personal Data in S3
Amazon Macie is a managed data security service that uses machine learning to automatically discover and classify sensitive data in S3. Macie includes built-in detectors for Indian personal data including:
- Names, addresses, phone numbers, and email addresses
- Aadhaar numbers and Indian passport numbers
- PAN card numbers
- Financial account numbers and credit card data
Enable Macie in your AWS account from AWS Management Console → Amazon Macie → Get started. Run recurring discovery jobs on all S3 buckets in your Indian regions to continuously identify where personal data lives.
AWS KMS: Encryption for DPDP Compliance
For DPDP Act compliance, every S3 bucket, RDS database, DynamoDB table, EBS volume, and other storage resource containing personal data must be encrypted at rest. Use KMS customer-managed keys (CMKs) for all personal data storage — this gives you the ability to audit who accessed encrypted data, revoke access by disabling a key, and enforce key usage policies through IAM.
Create KMS keys in the Mumbai or Hyderabad region — KMS keys are region-specific and should be in the same region as the data they encrypt.
AWS IAM: Access Controls for Personal Data
The DPDP Act requires that personal data be accessible only to those with a lawful purpose. IAM best practices for DPDP compliance include:
- Eliminate root account usage — remove root access keys, enable MFA, use IAM roles for all administrative tasks
- Enforce MFA for sensitive operations — use IAM condition keys to require MFA for actions on buckets containing personal data
- Use IAM roles, not IAM users — applications should use IAM roles with temporary credentials, not long-lived access keys
- Enable IAM Access Analyzer — continuously monitor for unintended public or cross-account access
AWS CloudTrail: Audit Logging for Breach Detection
AWS CloudTrail provides a complete audit log of all AWS API calls. Enable CloudTrail in all AWS accounts and all regions. Enable S3 data events in CloudTrail for buckets containing personal data — by default CloudTrail only logs management events; data events log individual object-level operations essential for detecting unauthorised access.
Pair CloudTrail with AWS Security Hub and Amazon GuardDuty for automated threat detection. Enable both services in all accounts and regions where personal data is processed.
S3 Lifecycle Policies: Automated Data Deletion
The DPDP Act requires deletion of personal data once its purpose has been fulfilled. S3 Lifecycle Policies provide automated, reliable deletion without manual intervention. Apply lifecycle policies to every S3 bucket containing personal data, setting the expiration period based on your retention obligations for each data category.
AWS Config: Continuous Compliance Monitoring
AWS Config continuously monitors your AWS resource configurations and alerts you when they drift from your compliance rules. Use AWS Config rules to enforce:
- S3 buckets containing personal data must be encrypted
- S3 buckets must not be publicly accessible
- CloudTrail must be enabled in all regions
- RDS instances must be encrypted
- MFA must be enabled on the root account
CloudFirst is an AWS Partner for Indian enterprises. Talk to an AWS compliance expert → cloudfirst.in/aws-managed-cloud-services.php
Frequently Asked Questions
Q: Is AWS certified for DPDP Act compliance?
The DPDP Act does not have an official certification programme. AWS holds global compliance certifications (ISO 27001, SOC 2, PCI DSS). Compliance with the DPDP Act is the customer’s responsibility — AWS provides the tools and infrastructure, but you must configure and use them correctly.
Q: Does AWS execute a Data Processing Agreement for DPDP Act purposes?
Yes. AWS offers a Data Processing Addendum (DPA) that governs AWS’s role as a Data Processor. This can be accepted online through the AWS Management Console under Account → Data Privacy.
Q: Can Amazon Macie detect Aadhaar numbers?
Yes. Amazon Macie includes managed data identifiers for Indian personal data including Aadhaar numbers, PAN numbers, and Indian passport numbers. You can also create custom data identifiers for organisation-specific data patterns.
