This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 7: How do you classify your data?

Classification provides a way to categorize data, based on criticality and sensitivity in order to help you determine appropriate protection and retention controls.

Resources

Introducing the New Amazon Macie
Data Classification Whitepaper
Getting started with Amazon Macie

Best Practices:

Improvement Plan

Identify the data within your workload

  • Consider discovering data using Amazon Macie: Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property.
    Amazon Macie
  • Define data protection controls

  • Define your data identification and classification schema: Identification and classification of your data is performed to assess the potential impact and type of data you store, and who can access it.
    AWS Documentation
  • Discover available AWS controls: For the AWS services you are or plan to use, discover the security controls. Many services have a security section in their documentation
    AWS Documentation
  • Identify AWS compliance resources: Identify resources that AWS has available to assist.
    https://aws.amazon.com/compliance/
  • Automate identification and classification

  • Use Amazon S3 Inventory: Amazon S3 Inventory Amazon S3 inventory is one of the tools you can use to audit and report on the replication and encryption status of your objects.
    Amazon S3 Inventory
  • Consider Amazon Macie: Amazon Macie uses machine learning to automatically discover and classify data stored in Amazon S3.
    Amazon Macie
  • Define data lifecycle management

  • Identify data types: Identify the types of data that you are storing or processing in your workload. That data could be text, images, binary databases, etc.