How to create a compliant bucket to host healthcare data
When hosting healthcare data using Scaleway Object Storage, you must follow the recommendations outlined in the shared responsibility model to ensure compliance with legal and regulatory requirements, such as data protection laws, and industry standards.
Adhering to these guidelines helps safeguard sensitive information against unauthorized access, breaches, and data loss, while also clarifying the roles and responsibilities between the cloud provider and the customer.
This documentation provides the following elements:
- A procedure to create a compliant bucket
- Information on prohibited actions
- Compliant encryption methods
- Compliant deletion methods
- A checklist to ensure you are ready to safely store healthcare data
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- Signed an HDS contract with Scaleway for the guarantees outlined in the shared responsibility model to apply
How to create a compliant bucket
To host healthcare data in compliance with HDS requirements, you must create a new bucket. This is to make sure that no lifecycle rule exists, and that every object uploaded to this bucket is properly encrypted.
-
Click Object Storage on the left side menu of the console. The Object Storage dashboard displays.
-
Click + Create bucket. The bucket creation page displays.
-
Enter a name for your bucket.
-
Select the Paris region.
-
Set the bucket visibility to Private.
-
Select a use case for your bucket.
-
Enable bucket versioning if you want to store multiple versions of your objects (this may lead to higher storage costs).
-
Optionally, you can use the cost estimator to estimate your Object Storage costs.
-
Click Create bucket to confirm.
-
If you use an encryption mechanism other than SSE-C, enable bucket encryption using the PutBucketEncryption action.
Your bucket is now ready to store healthcare data. Before uploading objects to the bucket, refer to the sections below for information on how to encrypt and delete your objects in compliance with regulations.
Prohibited actions on a compliant bucket
To host healthcare data, you must comply with the following requirements:
-
You must not use an existing bucket.
-
You must not use the Glacier storage class. Refer to the Shared responsibility model for more information on this requirement.
-
You must not use lifecycle rules in your compliant bucket.
-
If you use a customer-side encryption mechanism, you must not delete the bucket encryption.
How to encrypt objects
Objects in a compliant bucket must be encrypted to make sure data is protected. To achieve this, you can either use Scaleway's SSE-C feature, or encrypt objects yourself before uploading them to your bucket.
Encryption with SSE-C
Scaleway's SSE-C (Server-Side Encryption with Customer-provided keys) mechanism guarantees that objects uploaded to the bucket are properly encrypted.
You can check that your objects are properly encrypted by performing a simple HeadObject operation on an encrypted object without the SSE-C headers. Scaleway Object Storage will return a 400 error if SSE-C has been used to upload this object.
Refer to the dedicated documentation for comprehensive information on how to encrypt objects using SSE-C.
Customer-side encryption
Customer-side encryption ensures that sensitive data is protected before reaching Scaleway Object Storage, giving you control over the encryption mechanism, and key management. This method must be used in combination with Scaleway's HDS-compliant deletion method.
How to delete objects
Objects must be deleted in a compliant way to make sure data cannot be retrieved by any means immediately afterward. When using the HDS-compliant method (using the PutBucketEncryption action), Scaleway encrypts your uploaded objects with a dedicated key that will be instantly deleted upon receiving a deletion request for the targeted objects.
This mechanism guarantees your objects cannot be immediately retrieved, even if it takes additional time to process the deletion of all the remaining chunks of your deleted objects.
Deleting objects encrypted with SSE-C
If you use Scaleway's SSE-C to encrypt your data, using DeleteObject is sufficient to guarantee that your object is deleted in compliance with the regulatory requirements.
Deleting objects with customer-side encryption
If you do not use Scaleway's SSE-C to encrypt your data, you must use Scaleway's HDS-compliant method to delete objects. You must enable bucket encryption beforehand, using the PutBucketEncryption operation.
Enforcing compliance using bucket policies
To enforce compliance regarding the storage class and lifecycle rules, you can set up a bucket policy. Bucket policies automatically deny any action that is not explicitly allowed in a statement, allowing for fine-grained permissions management.
Refer to the dedicated documentation for more information on bucket policies.
Compliant bucket creation checklist
Make sure that your bucket follows the requirements below:
-
Make sure that you created your bucket in the France - Paris (
fr-par) region. -
Use bucket policies to restrict permissions and prevent unwanted operations.
-
Make sure that there are no active lifecycle rules for your bucket.
-
Make sure that your objects within this bucket are not stored using the Glacier storage class.
-
Use a valid encryption method.
-
Configure your bucket for compliant HDS deletion.
-
Follow the provided security best practices at all times.
Refer to the Object Storage Shared Responsibility Model for comprehensive information on the legal framework to host healthcare data.