This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 7: How do you classify your data?

Classification provides a way to categorize data, based on criticality and sensitivity in order to help you determine appropriate protection and retention controls.

Resources

Introducing the New Amazon Macie
Data Classification Whitepaper
Getting started with Amazon Macie

Best Practices:

Identify the data within your workload: This includes the type and classification of data, the associated business processes. data owner, applicable legal and compliance requirements, where it’s stored, and the resulting controls that are needed to be enforced. This may include classifications to indicate if the data is intended to be publicly available, if the data is internal use only such as customer personally identifiable information (PII), or if the data is for more restricted access such as intellectual property, legally privileged or marked sensititve, and more.
Define data protection controls: Protect data according to its classification level. For example, secure data classified as public by using relevant recommendations while protecting sensitive data with additional controls.
Automate identification and classification: Automate identification and classification of data to reduce the risk of human error from manual interactions.
Define data lifecycle management: Your defined lifecycle strategy should be based on sensitivity level, as well as legal and organization requirements. Aspects including the duration you retain data for, data destruction, data access management, data transformation, and data sharing should be considered.

Improvement Plan

Identify the data within your workload

Consider discovering data using Amazon Macie: Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property.
Amazon Macie

Define data protection controls

Define your data identification and classification schema: Identification and classification of your data is performed to assess the potential impact and type of data you store, and who can access it.
AWS Documentation

Discover available AWS controls: For the AWS services you are or plan to use, discover the security controls. Many services have a security section in their documentation
AWS Documentation

Identify AWS compliance resources: Identify resources that AWS has available to assist.
https://aws.amazon.com/compliance/

Automate identification and classification

Use Amazon S3 Inventory: Amazon S3 Inventory Amazon S3 inventory is one of the tools you can use to audit and report on the replication and encryption status of your objects.
Amazon S3 Inventory

Consider Amazon Macie: Amazon Macie uses machine learning to automatically discover and classify data stored in Amazon S3.
Amazon Macie

Define data lifecycle management

Identify data types: Identify the types of data that you are storing or processing in your workload. That data could be text, images, binary databases, etc.