Play out digital assets via S3 - GDPR compliant

Make use of S3 while protecting end-users data privacy and in compliance with GDPR.

Consumer related services / Social media


The customer operates several well-known brands around business services and operates a popular social network. Large parts of their platform services are upon Amazon Web Services public cloud technology. They are facilitating the EU region and are continuously migrating additional services.

From a security perspective, this is a sagacious decision. Nonetheless, with the EU-US Privacy Shield termination became a challenging and significant business risk to know if you are still in compliance with EU laws while being in the cloud. The privacy of personal data on social networks is vital.

The client needed help to understand these regulatory changes’ business impact and was looking to translate the resulting requirements into technology.


Alice&Bob.Company accompanied the customer, to ensure that cloud services are strictly being used in conformity with the GDPR requirements. Therefore, all Personal Identifiable Information (PII) needed to be encrypted, at rest and in transit.

One of the key priorities was to ensure secure and encrypted usage of the S3 service in conjunctions with CloudFront. One of the key challenges was to serve encrypted S3 assets to authorized non-AWS entities (profile pictures for users, etc). When using encrypted buckets in S3, you need so-called pre-signed URLs. Those are useful if you want your user/customer to download a specific S3 object. Pre-signed URLs with key rotation are not supported out-of-the-box when using Amazon S3 with customer-managed keys (SSE-KMS).

Lambda, EC2, KMS, CloudFront, CloudFormation

A&B's asset server microservice provided GDPR compliant usage of S3 and CloudFront - easy and reliable!


Alice&Bob.Company introduced completely configurable, encrypted S3 buckets taking advantage of the AWS KMS CMK feature. As a result, the customer received flexible access controls to S3 buckets, leveraging the best practice.

Besides Alice&Bob.Company developed a custom-tailored asset server, enabling the customer to use singed URLs to authorize access to protected assets on encrypted S3 Bucket within CloudFront. Having a comfortable and maintenance-free way to automate key rotation comes as a bonus.

The client takes data privacy for their customers very seriously. In the project, we were able to take a heavy burden off the customer's shoulders after the termination of the EU privacy shield. Now, the client uses our automated key-rotation microservice within different other projects.


We’ve been the first AWS partner in DACH, focussing crystal clear on Cloud Security. We’re providing cloud security expert advice to C-level executives, management roles, product teams and engineers. We integrate and enable.

Managed Container & Serverless Security

Have you heard about Kubernetes Security Posture Management (KSPM)? Keep a clear view on your Cloud and Serverless Security with A&B’s Managed Container & Serverless Security.