Repository files navigation

English |简体中文

Secure sensitive data across multiple AWS accounts, including PII.

Documentation ·Changelog

The Sensitive Data Protection on AWS solution allows enterprise customers to create data catalogs, discover, protect, and visualize sensitive data across multiple AWS accounts. The solution eliminates the need for manual tagging to track sensitive data such as Personal Identifiable Information (PII) and classified information.

The solution provides an automated approach to data protection with a self-service web application. You can perform regular or on-demand sensitive data discovery jobs using your own data classification templates. Moreover, you can access metrics such as the total number of sensitive data entries stored in all your AWS accounts, which accounts contain the most sensitive data, and the data source where the sensitive data is located.

For more information about the solution, please refer to ourwebsite.

Summary Dashboard

PII Data Identifiers	Data Catalog Management

This project is an AWSCloud Development Kit(CDK) project written in Typescript, if you want to use this solution without building the entire project, you can use theAmazon CloudFormation template to deploy the solution in 20 minutes, please follow theImplementation Guide to deploy the solution in your AWS account.

The Solution usesAWS Glue service for data catalog acquisition in the monitored account(s) and invoking Glue Job for sensitive data PII detection. The distributed Glue job runs in each monitored account and the admin account contains centralized data catalog of data stores across AWS accounts.

1. TheApplication Load Balancer distributes the solution's frontend web UI assets hosted inAWS Lambda.
2. Identity provider for user authentication.
3. The AWS Lambda function is packaged as Docker images and stored in theAmazon ECR (Elastic Container Registry).
4. The backend Lambda function is a target for the Application Load Balancer.
5. The backend Lambda function invokesAWS Step Functions in monitored accounts for sensitive data detection.
6. InAWS Step Functions workflow, theAWS Glue Crawler runs to take inventory of the data sources and is stored in the Glue Database as metadata tables.
7. The Step Functions sendAmazon SQS messages to the detection job queue after the Glue job has run.
8. Lambda function processs messages from Amazon SQS.
9. TheAmazon Athena query detection results and save to MySQL instance inAmazon RDS.

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at

http://www.apache.org/licenses/

or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and limitations under the License.