BSI IT-Grundschutz is the dominant security standard for German authorities, public institutions and KRITIS operators. Organisations using AWS must demonstrate that Grundschutz requirements are met — both on the cloud provider side and in their own configuration. This article shows how key BSI IT-Grundschutz building blocks map to AWS services, what the BSI C5 Type II attestation from AWS delivers, and which measures organisations must implement themselves.
BSI IT-Grundschutz: Foundations for Cloud Use
The BSI IT-Grundschutz is a framework developed by the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) for systematic information security. It consists of BSI Standard 200-1 (ISMS), 200-2 (IT-Grundschutz methodology), 200-3 (risk analysis) and the IT-Grundschutz Compendium with several hundred building blocks.
For cloud use, building block OPS.2.2 Cloud Use is central. It defines requirements for authorities and organisations using cloud services — divided into basic, standard and enhanced protection requirements. Complementing this, building block OPS.3.2 Cloud Provider applies to cloud providers.
IT-Grundschutz distinguishes three protection need levels:
- Normal
- Damage effects are limited and manageable. Standard measures from the IT-Grundschutz Compendium are sufficient. Most government applications without special sensitivity fall into this category.
- High
- Damage effects can be significant. Additional security measures beyond the standard are required. Affects e.g. financial systems, mass personal information, critical administrative systems.
- Very high
- Damage effects can be existentially threatening or catastrophic. Individually tailored protection measures, often linked to classified information regulations. Cloud use only with special measures (dedicated infrastructure, own encryption keys).
BSI C5 and AWS: What the Attestation Covers
The BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the BSI's own audit scheme for cloud services. AWS holds a C5 Type II attestation — the highest level, where an independent auditor confirms the effectiveness of measures over a period of time.
The C5 attestation covers 17 requirement domains that directly support BSI IT-Grundschutz building blocks:
| C5 Domain | Relevant Grundschutz Building Blocks | AWS Evidence in Attestation |
|---|---|---|
| Organisational security | ISMS.1, ORP.1, ORP.2 | Security policies, roles, training |
| Identity and access management | ORP.4, APP.2.1 | IAM controls, MFA, privileged access management |
| Cryptography and key management | CON.1 | AWS KMS, hardware security modules |
| Communication security | NET.1.1, NET.1.2 | TLS enforcement, VPC isolation, PrivateLink |
| Physical security | INF.1, INF.2 | Data centre controls, access security |
| Logging and monitoring | DER.1, DER.2.1 | CloudTrail, CloudWatch, Security Hub |
| Emergency management | DER.4 | Multi-AZ, automatic failover, DR tests |
| Portability and interoperability | OPS.2.2 | Open APIs, data export options |
Important: the C5 attestation covers the infrastructure side of AWS — not customer configuration. Authorities must mark the AWS-fulfilled requirements as demonstrated in their Grundschutz documentation and add their own measures for customer-side responsibilities.
Building Block OPS.2.2 Cloud Use: Measures on AWS
- OPS.2.2.A1 — Create a cloud use policy: Documentation of which data may be processed in which cloud services. On AWS: AWS Organizations with Service Control Policies (SCPs) enforce policies technically — only approved services can be used.
- OPS.2.2.A3 — Create a security concept for cloud use: Protection needs assessment for all cloud-used systems and data. On AWS: AWS Config with Conformance Packs maps the target state and checks continuously.
- OPS.2.2.A11 — Encryption in cloud use: Encryption of all stored and transmitted data. On AWS: AWS KMS for key management, S3 SSE-KMS, EBS encryption, TLS enforcement via Service Control Policies.
- OPS.2.2.A12 — Maintaining operational security: Patch management, vulnerability scanning. On AWS: AWS Systems Manager Patch Manager, Amazon Inspector, AWS Security Hub for central vulnerability management.
- OPS.2.2.A13 — Evidence of adequate information security: Regular audits and evidence. On AWS: AWS Audit Manager with pre-built frameworks (GDPR, BSI C5), automatic evidence collection for audits.
Identity and Access Management: Grundschutz ORP.4 on AWS
Grundschutz building block ORP.4 (identity and permissions management) places strict requirements on user and rights management.
- AWS IAM Identity Center
- Central identity management for all AWS accounts in an organisation. Connection to authority directories (Active Directory, LDAP) via SAML 2.0. MFA enforceable for all users. Role-based access control (RBAC) with Permission Sets — aligned with Grundschutz least privilege requirements.
- AWS IAM Roles with Condition Keys
- Fine-grained access control: access only from defined IP ranges, only at specific times, only on specific resource tags. Full auditability of all access via CloudTrail — evidence for ORP.4.A16 (management of privileged user accounts).
- AWS Organizations with Service Control Policies
- Organisation-wide guardrails: no root account access in production accounts, no disabling of CloudTrail, resources only in approved regions. SCPs act as preventive controls — Grundschutz need-to-know principle technically enforced.
Network Security: Grundschutz NET.1.1 on AWS
NET.1.1 requires structured network segmentation with defined security zones. On AWS, the Amazon Virtual Private Cloud (VPC) is the foundation:
| Grundschutz Requirement | AWS Implementation |
|---|---|
| Segmentation into security zones | VPC with public and private subnets, separate VPCs per protection level |
| Stateful packet filtering | Security Groups (stateful), Network ACLs (stateless) combined |
| Control of outbound connections | AWS Network Firewall with stateful inspection and URL filtering |
| Encrypted connections | AWS VPN / AWS Direct Connect for on-premises connections, TLS everywhere |
| Intrusion detection | Amazon GuardDuty with VPC Flow Log analysis, AWS Network Firewall IPS |
| Network logging | VPC Flow Logs in CloudWatch / S3, immutably archived |
Logging and Monitoring: Grundschutz DER.1 on AWS
Grundschutz building block DER.1 requires complete, centralised and immutable logging. On AWS:
- AWS CloudTrail: All API calls across all AWS services logged. Enable multi-region trail, store CloudTrail logs in S3 with Object Lock (Compliance Mode, minimum 10 years for public sector). CloudTrail Insights for automatic anomaly detection.
- Amazon CloudWatch Logs: Centralised collection of OS and application logs. Log groups with immutable storage, retention policies per protection level. Metric Filters for automatic alerts on security-relevant events.
- AWS Security Hub: Aggregation of all security findings from GuardDuty, Inspector, Config, Macie and third-party tools. Automatic prioritisation by CVSS score. Foundation for the Grundschutz proof of "detection system present and operated".
- Amazon Security Lake: For larger authorities: central security data lake in OCSF format (Open Cybersecurity Schema Framework). Integration with SIEM systems (IBM QRadar, Splunk, Microsoft Sentinel) for SOC operations.
Frequently Asked Questions About BSI IT-Grundschutz and AWS
- What is the difference between BSI IT-Grundschutz and BSI C5?
- BSI IT-Grundschutz is a comprehensive framework for information security in organisations — with building blocks for all IT systems. BSI C5 is an audit scheme specifically designed for cloud services that cloud providers can be audited against. C5 can be used as evidence within a Grundschutz-certified ISMS.
- Is AWS BSI C5 Type II attested?
- Yes. AWS holds a BSI C5 Type II attestation — requirements were audited by an independent examiner over a period of time and confirmed. The current attestation is available at aws.amazon.com/compliance/bsi-c5/.
- May German federal authorities use AWS?
- Federal authorities can use AWS — subject to BSI minimum requirements, IT-Grundschutz and any classified information regulations. For normal protection needs (including VS-NfD with special measures), AWS use is generally possible.
- Which AWS region should German authorities use?
- For the public sector, eu-central-1 (Frankfurt) is recommended as the primary region — data remains in Germany. AWS Dedicated Local Zones offer dedicated infrastructure for critical workloads. AWS EU Sovereign Cloud is in preparation and will offer even stronger data sovereignty.
Storm Reply: Grundschutz-Compliant Cloud for German Public Sector
Storm Reply — AWS Premier Consulting Partner in the DACH market with AWS Public Sector competency — supports German authorities and public institutions in BSI IT-Grundschutz-compliant cloud use. Our approach: treat Grundschutz building blocks as architecture requirements, not a checkbox exercise.
From initial Grundschutz gap assessment through designing a Grundschutz-compliant Landing Zone on AWS to building a complete ISMS with automated evidence collection — Storm Reply accompanies public institutions along the entire path to compliant cloud. Storm Reply — AWS Premier Consulting Partner DACH.
Build Grundschutz-compliant cloud?
Storm Reply accompanies your authority or public institution on the path to BSI-compliant AWS use.
Get in touch