All articles
cloud-securityCERT-InDPDPcompliance

CERT-In 2022 & DPDP Act 2023: Technical Implementation in Cloud

India's two most operationally significant cyber regulations — CERT-In Directions 2022 and the Digital Personal Data Protection Act 2023 — impose specific technical obligations on cloud deployments. This article maps each requirement to concrete cloud configuration controls.

Ashish Revar3 July 202620 min read2 views

Two Regulations, One Technical Challenge

The CERT-In Directions 2022 (Ministry of Electronics and Information Technology, April 28, 2022) and the Digital Personal Data Protection Act 2023 (DPDP Act, enacted August 11, 2023) together form the most significant cloud security regulatory framework for Indian organisations. While the DPDP Act focuses on personal data protection and the CERT-In Directions focus on cybersecurity hygiene and incident reporting, they overlap at several critical points.

This article provides the technical implementation guide — not the legal interpretation — for cloud security teams responsible for compliance.

CERT-In 2022 Directions: Technical Requirements

Mandatory Log Retention (180 Days)

CERT-In requires all service providers, data centres, government organisations, and intermediaries to securely retain ICT logs for a rolling 180 days. In a cloud context, this applies to:

Log TypeAWS ServiceRetention Configuration
API/Management planeCloudTrailS3 lifecycle: retain 180 days in S3 Standard; tier to Glacier after 180 days; S3 Object Lock (Compliance Mode) prevents deletion
Network flowVPC Flow LogsCloudWatch Logs retention: 180 days minimum
ApplicationCloudWatch LogsLog group retention: 180 days (set per log group)
Database queryRDS Enhanced Monitoring + audit pluginCloudWatch Logs retention: 180 days
OS / instanceCloudWatch Agent → CloudWatch LogsLog group retention: 180 days
Security findingsGuardDuty findingsSecurity Hub → S3 export with 180-day lifecycle

CloudTrail 180-day configuration (example):

{
  "Rules": [
    {
      "ID": "CertInRetention",
      "Filter": "{}",
      "Status": "Enabled",
      "Transitions": [{"Days": 180, "StorageClass": "GLACIER"}],
      "Expiration": {"Days": 365}
    }
  ]
}

Mandatory Incident Reporting (6-Hour Window)

CERT-In requires reporting of "significant cyber incidents" to CERT-In within 6 hours of detection. The 6-hour clock starts at detection — not at the time the incident occurred.

Cloud security operations requirement: Your detection and alerting pipeline must be capable of generating a verified incident notification within 2 hours of an event, leaving 4 hours for investigation and formal reporting.

GuardDuty → EventBridge → Lambda → ITSM (JIRA/ServiceNow) can automate the incident ticket creation. The 6-hour reporting form must be submitted at cert-in.org.in — this is a manual step, but the supporting evidence (CloudTrail exports, VPC Flow Logs, GuardDuty findings) should be assembled automatically by the Lambda.

System Clock Synchronisation (NTP)

CERT-In requires all ICT infrastructure to synchronise to NDP/NIC STQC NTP servers. For AWS:

# EC2 Amazon Linux 2 / Amazon Linux 2023 default:
# Uses Amazon Time Sync Service (169.254.169.123)
# This is a stratum 1 server synchronised to GPS atomic clocks

# Verify
chronyc tracking

# For compliance requiring NIC STQC, add as additional source:
# /etc/chrony.conf
server time1.nic.in iburst
server time2.nic.in iburst
server 169.254.169.123 prefer

AWS-managed services (RDS, Lambda, ECS) use the Amazon Time Sync Service automatically. Custom EC2 instances must be verified.

ICT Infrastructure Audit

CERT-In requires annual IS audits by a CERT-In-empanelled auditor. Cloud-specific scope items:

  • CloudTrail coverage (all regions, all management events)
  • IAM access key age and rotation compliance
  • S3 public access settings
  • Encryption at rest for all data stores
  • VPC Flow Log coverage
  • Security Group rule review (especially port 22/3389 to 0.0.0.0/0)
  • GuardDuty enabled and findings addressed

DPDP Act 2023: Technical Requirements

Data Principal Rights: Technical Implementation

Right (Section)Technical Implementation
Right to information (§11)API/portal to retrieve all personal data held about a user
Right to correction/erasure (§12, §13)Soft-delete with tombstone; cascade to replicas and backups
Right to grievance redressal (§13)Ticketing system with SLA-bound response
Right to nominate (§14)Account delegation mechanism

Erasure in cloud environments is technically complex. A "deleted" RDS record may persist in:

  • Point-in-time recovery snapshots (up to 35 days)
  • Read replicas
  • Cross-region replica snapshots
  • S3 export from a Glue ETL job
  • CloudWatch Logs from the application

A true right-to-erasure implementation requires a data map of every system that holds a copy of the data, and a programmatic erasure workflow that covers all of them. This is why data minimisation (not collecting unnecessary data) is the most practical compliance strategy.

Data Localisation

The DPDP Act empowers the government to notify certain classes of personal data that must be processed only within India. The Rules (expected to be notified in 2024-25) will specify this list.

Cloud configuration control for pre-emptive data localisation:

{
  "Effect": "Deny",
  "Action": "*",
  "Resource": "*",
  "Condition": {
    "StringNotEquals": {
      "aws:RequestedRegion": ["ap-south-1"]
    },
    "ArnNotLike": {
      "aws:PrincipalArn": "arn:aws:iam::*:role/GlobalOperationsRole"
    }
  }
}

This SCP denies all actions outside ap-south-1 for all principals except a designated global operations role.

Breach Notification (§8)

The DPDP Act requires that a Data Fiduciary notify the Data Protection Board of India (DPBI) and each affected Data Principal of a personal data breach. Timelines are to be specified in Rules but are expected to be within 72 hours of awareness (aligned with GDPR precedent).

Cloud breach detection → notification pipeline:

  1. Macie finds Aadhaar numbers in a public S3 bucket (or GuardDuty detects exfiltration)
  2. EventBridge rule triggers Lambda
  3. Lambda creates P1 incident ticket
  4. Security team validates breach scope
  5. Legal/DPO team drafts DPBI notification
  6. Notification submitted via DPBI portal (when operational)

Overlap and Synergy

RequirementCERT-In 2022DPDP Act 2023Shared Control
Log retention180 daysAs needed for breach investigationS3 Object Lock, 180+ days
Incident reporting6 hours72 hours (expected)GuardDuty → automated ticket
AuditAnnual by empanelled auditorBoard-level accountabilityAWS Config, Security Hub
EncryptionNot specified"Appropriate safeguards"KMS encryption for all data stores
Access controlNot specified"Appropriate technical safeguards"IAM least privilege, MFA

Sign in to mark this article as read and track your progress.