SkarpSkarp

Chapter 8 of 20

AWS Security, Governance, and AWS Compliance

Connect the dots between security controls, governance requirements, and industry regulations by exploring how AWS Compliance and governance tools support regulated workloads.

27 min readen

Big Picture: Security, Governance, and Compliance on AWS

Why This Module Matters

You know IAM and the shared responsibility model. Now we connect them to governance and compliance: how AWS helps you meet laws, standards, and internal rules.

What You Will Learn

You will describe AWS Compliance programs, map responsibilities, see key governance tools, and learn where to get AWS audit reports via AWS Artifact.

Three Layers to Picture

Think in layers: regulations and standards at the top, AWS platform controls in the middle, and your workload controls at the bottom. Compliance spans all three.

Core Concept: AWS Compliance Programs and Certifications

What Is AWS Compliance?

AWS Compliance is the collection of programs, certifications, attestations, and frameworks that show how AWS meets security, privacy, and risk requirements.

Standards and Attestations

Examples: ISO 27001/27017/27018 and SOC 1/2/3 reports. These are independent assessments of AWS security and operational controls.

Industry and Regional Programs

Examples: PCI DSS for card data, HIPAA-eligible services for healthcare, and GDPR support tools for EU personal data. AWS compliance helps, but does not replace your own responsibilities.

Revisiting the AWS Shared Responsibility Model for Compliance

Canonical Definition

Remember: AWS shared responsibility model: "Security and compliance are shared responsibilities between AWS and the customer."

Of the Cloud vs In the Cloud

AWS secures and proves compliance "of" the cloud (data centers, hardware). You secure and prove compliance "in" the cloud (data, access, configs).

Shared Controls and Exam Trap

Some controls are shared (like patching). A compliant service does not make your app compliant by default. You must configure and operate it correctly.

Worked Scenarios: Who Owns Which Compliance Tasks?

Scenario: PCI DSS on AWS

Retailer on EC2 and S3. AWS provides PCI DSS compliant infrastructure; the customer must encrypt card data, lock down IAM, and secure S3 buckets.

Scenario: HIPAA on AWS

Healthcare startup stores PHI in RDS and S3. AWS offers HIPAA-eligible services and a BAA; the customer must design HIPAA-compliant architectures.

Visualizing Responsibilities

Picture a table: rows of tasks (physical security, app code, encryption). AWS owns the lower layers; the customer owns app and data layers.

Governance in the AWS Cloud: Policies, Guardrails, and Visibility

What Is Governance?

Governance is how your organization directs and controls cloud use: policies like "encrypt data" and the mechanisms to enforce and monitor those policies.

AWS Organizations and SCPs

AWS Organizations groups accounts. Service Control Policies set maximum permissions, such as blocking users from disabling logging in production accounts.

Control Tower and Guardrails

AWS Control Tower sets up a governed multi-account environment with guardrails that enforce or monitor rules like no public S3 buckets.

Monitoring and Evidence: AWS Config, CloudTrail, and CloudWatch

Why Monitoring Matters

Compliance requires evidence. You must show that controls exist and work. AWS gives you logs, config histories, and metrics to prove this.

CloudTrail and AWS Config

CloudTrail records API and console activity. AWS Config tracks resource configurations and checks them against rules like "all S3 buckets encrypted".

CloudWatch for Detection

CloudWatch monitors metrics and logs, raising alarms on suspicious behavior. Together, these services create a strong compliance evidence trail.

AWS Artifact: Your Portal for Compliance Reports and Agreements

What Is AWS Artifact?

AWS Artifact is your on-demand portal for AWS compliance reports (like SOC and ISO) and certain agreements (such as HIPAA BAAs).

How Organizations Use It

Security teams log into AWS Artifact to download the latest SOC 2 or PCI DSS reports and share them with auditors or risk assessors.

What Artifact Does Not Do

Artifact does not scan your environment or make you compliant. It simply provides official AWS compliance documentation.

Thought Exercise: Mapping Controls to Regulations

Work through this short exercise to connect AWS services to regulatory requirements. You do not need to know each law in detail; focus on the logic.

Prompt 1: GDPR and data access logs

  • Your company processes data about EU users. Your privacy team says: "We must be able to show who accessed personal data and when."
  • Question: Which AWS services would you rely on to provide evidence of access to S3 objects containing personal data?
  • Think: CloudTrail logs API calls, CloudWatch monitors, S3 access logs can record object access. How would you combine them?

Prompt 2: Internal policy – encrypt everything

  • Your organization’s policy states: "All data classified as Confidential must be encrypted at rest and in transit."
  • Question: Name at least three AWS features or services you would use to enforce or validate this policy.
  • Hints: S3 default encryption, EBS volume encryption, RDS encryption, AWS KMS for key management, AWS Config rules to check encryption, TLS for in‑transit.

Prompt 3: PCI DSS and network segmentation

  • A payment system must isolate cardholder data environments from other workloads.
  • Question: Which AWS constructs help you implement segmentation in the cloud?
  • Hints: VPCs, subnets, security groups, NACLs, separate AWS accounts via AWS Organizations.

Pause for a minute and write your answers. Then compare:

  • If you mentioned CloudTrail, S3 access logs, and CloudWatch for Prompt 1, you are on track.
  • If you listed encryption features plus AWS Config for Prompt 2, that’s good governance thinking.
  • If you called out VPCs, security groups, and separate accounts for Prompt 3, you are mapping architecture to compliance.

Quick Check 1: Responsibilities and Artifact

Test your understanding of shared responsibility and AWS Artifact.

A financial services company needs a copy of AWS's latest SOC 2 report for its external auditor. What should the company do?

  1. Open AWS Artifact in the AWS Management Console and download the SOC 2 report.
  2. Create an AWS Config rule to check for SOC 2 compliance and export the results.
  3. Contact AWS Support and request that logs from CloudTrail be converted into a SOC 2 report.
  4. Enable Amazon GuardDuty and export its findings as the SOC 2 report.
Show Answer

Answer: A) Open AWS Artifact in the AWS Management Console and download the SOC 2 report.

AWS Artifact is the correct service for on-demand access to AWS compliance reports like SOC 2. AWS Config, CloudTrail, and GuardDuty help monitor your environment but do not generate official AWS compliance reports.

Quick Check 2: Governance and Monitoring

Test how well you can connect AWS services to governance and compliance tasks.

Your organization has a policy that no security group may allow inbound SSH (port 22) from 0.0.0.0/0 in production accounts. Which AWS service is BEST suited to continuously check and report on violations of this policy?

  1. AWS CloudTrail
  2. AWS Config
  3. AWS Artifact
  4. Amazon S3
Show Answer

Answer: B) AWS Config

AWS Config continuously records resource configurations and can evaluate them against custom or managed rules, such as 'no security group allows 0.0.0.0/0 on port 22'. CloudTrail logs API calls but does not evaluate compliance; AWS Artifact and S3 are not used for this kind of rule checking.

Key Terms Review: AWS Compliance and Governance

Flip through these cards to reinforce the most exam‑relevant terms from this module.

AWS shared responsibility model
Security and compliance are shared responsibilities between AWS and the customer.
AWS Artifact
An AWS service that provides on-demand access to AWS compliance reports (such as SOC and ISO) and certain agreements (such as HIPAA BAAs).
AWS Organizations
A service for centrally managing and governing multiple AWS accounts, often using Service Control Policies to set maximum permissions.
Service Control Policy (SCP)
A policy in AWS Organizations that defines the maximum permissions for accounts, used to enforce governance across multiple accounts.
AWS Config
A service that records AWS resource configurations and evaluates them against rules to assess compliance with internal policies.
AWS CloudTrail
A service that records AWS API calls and console actions, providing an audit trail for security and compliance investigations.
AWS Control Tower
A service that sets up and governs a secure, multi-account AWS environment using preconfigured guardrails based on AWS best practices.
Compliance program (in AWS context)
A set of certifications, attestations, or frameworks (such as ISO, SOC, PCI DSS, HIPAA-eligible services) under which AWS is independently assessed.
Guardrail (AWS Control Tower)
A preventive or detective rule in AWS Control Tower that enforces or monitors compliance with governance policies across accounts.
Shared control (compliance)
A security or compliance control where both AWS and the customer have responsibilities, such as patch management or configuration management.

Pulling It Together: How AWS Helps You Stay Compliant

AWS Compliance Summary

AWS maintains many compliance programs (ISO, SOC, PCI, HIPAA-eligible services) so you can build on independently assessed infrastructure.

Checklist: Who Does What?

Use the shared responsibility model: for each requirement, decide what AWS handles and what you must configure or operate in your workloads.

Governance and Evidence

Govern with Organizations, Control Tower, Config, CloudTrail, and CloudWatch. Use AWS Artifact for AWS reports and logs/configs for your own evidence.

Key Terms

Guardrail
In AWS Control Tower, a preventive or detective rule that enforces or monitors compliance with governance policies across accounts.
AWS Config
A service that records AWS resource configurations and evaluates them against rules to assess compliance with internal policies.
AWS Artifact
An AWS service that provides on-demand access to AWS compliance reports (such as SOC and ISO) and certain agreements (such as HIPAA BAAs).
AWS CloudTrail
A service that records AWS API calls and console actions, providing an audit trail for security and compliance investigations.
Shared control
A security or compliance control where both AWS and the customer have responsibilities, such as patch management or configuration management.
AWS Control Tower
A service that sets up and governs a secure, multi-account AWS environment using preconfigured guardrails based on AWS best practices.
AWS Organizations
A service for centrally managing and governing multiple AWS accounts, often using Service Control Policies to set maximum permissions.
Compliance program
In the AWS context, a set of certifications, attestations, or frameworks (such as ISO, SOC, PCI DSS, HIPAA-eligible services) under which AWS is independently assessed.
Service Control Policy (SCP)
A policy in AWS Organizations that defines the maximum permissions for accounts, used to enforce governance across multiple accounts.
AWS shared responsibility model
Security and compliance are shared responsibilities between AWS and the customer.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself