CERT-In 2022 & DPDP Act 2023: Technical Implementation in Cloud
India's two most operationally significant cyber regulations — CERT-In Directions 2022 and the Digital Personal Data Protection Act 2023 — impose specific technical obligations on cloud deployments. This article maps each requirement to concrete cloud configuration controls.
Two Regulations, One Technical Challenge
The CERT-In Directions 2022 (Ministry of Electronics and Information Technology, April 28, 2022) and the Digital Personal Data Protection Act 2023 (DPDP Act, enacted August 11, 2023) together form the most significant cloud security regulatory framework for Indian organisations. While the DPDP Act focuses on personal data protection and the CERT-In Directions focus on cybersecurity hygiene and incident reporting, they overlap at several critical points.
This article provides the technical implementation guide — not the legal interpretation — for cloud security teams responsible for compliance.
CERT-In 2022 Directions: Technical Requirements
Mandatory Log Retention (180 Days)
CERT-In requires all service providers, data centres, government organisations, and intermediaries to securely retain ICT logs for a rolling 180 days. In a cloud context, this applies to:
| Log Type | AWS Service | Retention Configuration |
|---|---|---|
| API/Management plane | CloudTrail | S3 lifecycle: retain 180 days in S3 Standard; tier to Glacier after 180 days; S3 Object Lock (Compliance Mode) prevents deletion |
| Network flow | VPC Flow Logs | CloudWatch Logs retention: 180 days minimum |
| Application | CloudWatch Logs | Log group retention: 180 days (set per log group) |
| Database query | RDS Enhanced Monitoring + audit plugin | CloudWatch Logs retention: 180 days |
| OS / instance | CloudWatch Agent → CloudWatch Logs | Log group retention: 180 days |
| Security findings | GuardDuty findings | Security Hub → S3 export with 180-day lifecycle |
CloudTrail 180-day configuration (example):
{
"Rules": [
{
"ID": "CertInRetention",
"Filter": "{}",
"Status": "Enabled",
"Transitions": [{"Days": 180, "StorageClass": "GLACIER"}],
"Expiration": {"Days": 365}
}
]
}
Mandatory Incident Reporting (6-Hour Window)
CERT-In requires reporting of "significant cyber incidents" to CERT-In within 6 hours of detection. The 6-hour clock starts at detection — not at the time the incident occurred.
Cloud security operations requirement: Your detection and alerting pipeline must be capable of generating a verified incident notification within 2 hours of an event, leaving 4 hours for investigation and formal reporting.
GuardDuty → EventBridge → Lambda → ITSM (JIRA/ServiceNow) can automate the incident ticket creation. The 6-hour reporting form must be submitted at cert-in.org.in — this is a manual step, but the supporting evidence (CloudTrail exports, VPC Flow Logs, GuardDuty findings) should be assembled automatically by the Lambda.
System Clock Synchronisation (NTP)
CERT-In requires all ICT infrastructure to synchronise to NDP/NIC STQC NTP servers. For AWS:
# EC2 Amazon Linux 2 / Amazon Linux 2023 default:
# Uses Amazon Time Sync Service (169.254.169.123)
# This is a stratum 1 server synchronised to GPS atomic clocks
# Verify
chronyc tracking
# For compliance requiring NIC STQC, add as additional source:
# /etc/chrony.conf
server time1.nic.in iburst
server time2.nic.in iburst
server 169.254.169.123 prefer
AWS-managed services (RDS, Lambda, ECS) use the Amazon Time Sync Service automatically. Custom EC2 instances must be verified.
ICT Infrastructure Audit
CERT-In requires annual IS audits by a CERT-In-empanelled auditor. Cloud-specific scope items:
- CloudTrail coverage (all regions, all management events)
- IAM access key age and rotation compliance
- S3 public access settings
- Encryption at rest for all data stores
- VPC Flow Log coverage
- Security Group rule review (especially port 22/3389 to 0.0.0.0/0)
- GuardDuty enabled and findings addressed
DPDP Act 2023: Technical Requirements
Data Principal Rights: Technical Implementation
| Right (Section) | Technical Implementation |
|---|---|
| Right to information (§11) | API/portal to retrieve all personal data held about a user |
| Right to correction/erasure (§12, §13) | Soft-delete with tombstone; cascade to replicas and backups |
| Right to grievance redressal (§13) | Ticketing system with SLA-bound response |
| Right to nominate (§14) | Account delegation mechanism |
Erasure in cloud environments is technically complex. A "deleted" RDS record may persist in:
- Point-in-time recovery snapshots (up to 35 days)
- Read replicas
- Cross-region replica snapshots
- S3 export from a Glue ETL job
- CloudWatch Logs from the application
A true right-to-erasure implementation requires a data map of every system that holds a copy of the data, and a programmatic erasure workflow that covers all of them. This is why data minimisation (not collecting unnecessary data) is the most practical compliance strategy.
Data Localisation
The DPDP Act empowers the government to notify certain classes of personal data that must be processed only within India. The Rules (expected to be notified in 2024-25) will specify this list.
Cloud configuration control for pre-emptive data localisation:
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["ap-south-1"]
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/GlobalOperationsRole"
}
}
}
This SCP denies all actions outside ap-south-1 for all principals except a designated global operations role.
Breach Notification (§8)
The DPDP Act requires that a Data Fiduciary notify the Data Protection Board of India (DPBI) and each affected Data Principal of a personal data breach. Timelines are to be specified in Rules but are expected to be within 72 hours of awareness (aligned with GDPR precedent).
Cloud breach detection → notification pipeline:
- Macie finds Aadhaar numbers in a public S3 bucket (or GuardDuty detects exfiltration)
- EventBridge rule triggers Lambda
- Lambda creates P1 incident ticket
- Security team validates breach scope
- Legal/DPO team drafts DPBI notification
- Notification submitted via DPBI portal (when operational)
Overlap and Synergy
| Requirement | CERT-In 2022 | DPDP Act 2023 | Shared Control |
|---|---|---|---|
| Log retention | 180 days | As needed for breach investigation | S3 Object Lock, 180+ days |
| Incident reporting | 6 hours | 72 hours (expected) | GuardDuty → automated ticket |
| Audit | Annual by empanelled auditor | Board-level accountability | AWS Config, Security Hub |
| Encryption | Not specified | "Appropriate safeguards" | KMS encryption for all data stores |
| Access control | Not specified | "Appropriate technical safeguards" | IAM least privilege, MFA |
Sign in to mark this article as read and track your progress.