Cargando...
Cargando...
Master the frameworks, tools, and strategies that turn compliance chaos into certification confidence
AWS Security Compliance covers the shared responsibility model, regulatory frameworks (PCI DSS, HIPAA, SOC, ISO, FedRAMP), and the native AWS services that help you achieve, demonstrate, and automate compliance posture. For certification exams, understanding WHICH service to use for WHICH compliance need — and how responsibility is divided between AWS and the customer — is the #1 differentiator between passing and failing. This topic appears across SAA-C03, SAP-C02, SCS-C02, and DVA-C02 exams.
Exams test your ability to map compliance requirements to the correct AWS service or combination of services, understand what AWS is responsible for versus the customer, and know when to use detective versus preventive controls.
Preventive Compliance Controls
Proactively block non-compliant actions BEFORE they occur. AWS services like Service Control Policies (SCPs), IAM permission boundaries, AWS Config Rules with auto-remediation, and AWS CloudFormation Guard enforce guardrails at the policy and infrastructure layer so compliant-only resources can be provisioned.
When the requirement is to PREVENT a violation — e.g., 'Ensure no S3 bucket is ever made public' or 'Ensure encryption is always enabled at rest'. Regulated industries like healthcare (HIPAA) and finance (PCI DSS) often mandate preventive controls.
SCPs can inadvertently block legitimate operations if misconfigured; require thorough testing in non-production OUs first. CloudFormation Guard requires template-level enforcement and does not retroactively fix existing resources.
Detective Compliance Controls
Identify and alert on compliance violations AFTER they occur. AWS Config continuously evaluates resource configurations against rules and records configuration history. Amazon GuardDuty detects threats and anomalous behavior. AWS Security Hub aggregates findings from GuardDuty, Config, Inspector, Macie, and third-party tools into a unified compliance dashboard with standards like CIS AWS Foundations Benchmark, PCI DSS, and AWS Foundational Security Best Practices.
When you need visibility into your compliance posture, audit trails, and drift detection. Ideal for SOC 2 Type II, ISO 27001, and any audit requiring evidence of continuous monitoring. Use Security Hub as the single pane of glass across multiple accounts.
Detective controls do not stop violations — they report them. Must be paired with auto-remediation (Config Rules + SSM Automation or Lambda) or preventive controls for a complete compliance posture.
Automated Compliance Remediation
Combine detective controls with automated responses to close the loop without human intervention. AWS Config Rules can trigger AWS Systems Manager Automation runbooks or Lambda functions to remediate drift (e.g., re-encrypt an unencrypted EBS volume, revert a public S3 ACL). AWS Security Hub can forward findings to EventBridge, which triggers Step Functions or Lambda for complex remediation workflows.
When audit requirements demand near-real-time remediation SLAs, or when scale makes manual remediation impractical. Common in multi-account environments managed via AWS Organizations.
Auto-remediation can cause unintended disruption if rules are misconfigured (e.g., terminating a compliant resource). Always test remediation runbooks in a sandbox account and use approval gates for destructive actions.
Audit Evidence and Reporting
AWS Artifact provides on-demand access to AWS compliance reports (SOC 1/2/3, PCI DSS AOC, ISO certifications, FedRAMP packages) and AWS agreements (BAA for HIPAA, NDA). AWS Audit Manager continuously collects evidence from AWS services and maps it to compliance frameworks, generating audit-ready reports. CloudTrail provides the immutable API activity log required by virtually every compliance framework.
When you need to provide evidence to auditors, sign agreements (BAA for HIPAA), or demonstrate AWS's own compliance posture to customers. Audit Manager is specifically designed for recurring audit cycles (quarterly, annual).
AWS Artifact shows AWS's compliance — not YOUR account's compliance. Customers must still demonstrate their own controls. Audit Manager requires configuration of assessment frameworks and may incur additional cost based on resource assessments.
Multi-Account Compliance Governance
Use AWS Organizations with SCPs to enforce compliance guardrails across all accounts. AWS Control Tower provides pre-built guardrails (preventive SCPs and detective Config Rules) and a Landing Zone for compliant multi-account architectures. AWS Security Hub with Organizations integration aggregates findings from all member accounts into a delegated administrator account for centralized visibility.
Enterprise environments with multiple AWS accounts, business units, or environments (dev/staging/prod). Required for large-scale HIPAA, PCI DSS, or FedRAMP compliance programs. Control Tower is the recommended starting point for new multi-account setups.
SCPs at the Organization root affect ALL accounts including the management account (with exceptions). Control Tower has guardrails that cannot be disabled without disabling Control Tower itself — verify compatibility with existing workloads before enrollment.
Data Classification and Privacy Compliance
Amazon Macie uses ML to automatically discover, classify, and protect sensitive data (PII, PHI, financial data) in S3. It generates findings when sensitive data is found in unexpected locations or when S3 buckets have risky configurations. Essential for GDPR, HIPAA, and CCPA compliance programs that require data discovery and classification.
When compliance requires knowing WHERE sensitive data lives (data mapping/data inventory), detecting accidental exposure of PII/PHI, or demonstrating data governance controls to auditors.
Macie only analyzes S3 — it does not scan databases, EBS volumes, or other storage types natively. Pricing is based on the number of S3 buckets evaluated and the volume of data scanned, which can be significant for large data lakes.
STEP 1 — Identify the compliance requirement type:
• → Need to PREVENT a violation before it happens? → Use SCPs (org-level) + IAM Permission Boundaries + Config Rules with auto-remediation + CloudFormation Guard
→ Need to DETECT and ALERT on violations? → Use AWS Config Rules + AWS Security Hub + GuardDuty + Amazon Inspector
→ Need AUDIT EVIDENCE for auditors? → Use AWS Artifact (AWS's own certs/reports) + AWS Audit Manager (your account's evidence) + CloudTrail (API logs)
→ Need to REMEDIATE violations automatically? → Use Config Rules → SSM Automation / Lambda, or Security Hub → EventBridge → Step Functions
STEP 2 — Identify the regulatory framework:
• → HIPAA: Sign BAA via AWS Artifact; use HIPAA-eligible services only; enable encryption, audit logging (CloudTrail), and access controls
→ PCI DSS: Enable Security Hub PCI DSS standard; use WAF + Shield for cardholder data environments; segment with VPC; enable CloudTrail + Config
→ SOC 2: Download SOC reports from AWS Artifact; implement Security Hub CIS Benchmark; enable CloudTrail across all regions
→ FedRAMP: Use AWS GovCloud (US) regions; reference FedRAMP packages in AWS Artifact
→ GDPR: Use Macie for PII discovery; enable data residency controls (S3 bucket policies, AWS Config); use AWS data processing agreements
STEP 3 — Identify the scope:
• → Single account: Config + Security Hub + CloudTrail + GuardDuty
→ Multi-account: Organizations + Control Tower + delegated Security Hub admin + CloudTrail Organization trail
→ New multi-account setup: AWS Control Tower (Landing Zone)
→ Existing accounts: AWS Security Hub with Organizations integration
STEP 4 — Identify responsibility boundary:
• → AWS responsible for: Physical security, hypervisor, managed service patches, global infrastructure compliance
→ Customer responsible for: IAM configuration, data encryption choices, network ACLs/SGs, OS/app patching on EC2, data classification
AWS Artifact is NOT a compliance monitoring tool — it is a DOCUMENT PORTAL. It gives you AWS's own compliance reports (SOC, PCI, ISO) and agreements (BAA, NDA). It tells you AWS is compliant, NOT that your workload is compliant. Exams frequently test this distinction.
The Shared Responsibility Model is tested on EVERY certification. Remember: AWS = security OF the cloud (hardware, AZs, global network, managed service patches). Customer = security IN the cloud (IAM, encryption, SGs, NACLs, OS patching on EC2, application code). For managed services like RDS, AWS patches the DB engine; for EC2, the customer patches the OS.
For HIPAA compliance on AWS: you MUST sign a Business Associate Agreement (BAA) with AWS — found and executed through AWS Artifact. Only HIPAA-eligible services can be used to process PHI. Not all AWS services are HIPAA-eligible — always check the current HIPAA-eligible services list.
AWS Security Hub is the AGGREGATOR — it collects findings from GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, and third-party tools. It maps findings to compliance standards (CIS AWS Foundations Benchmark v1.4, PCI DSS v3.2.1, AWS Foundational Security Best Practices). Enable it with Organizations for multi-account centralization.
AWS Config records CONFIGURATION HISTORY and evaluates against rules — it is the primary service for compliance drift detection and continuous compliance monitoring. Config Rules can be AWS Managed (pre-built) or Custom (Lambda-backed). Config does NOT prevent changes — it detects and reports them.
AWS Artifact = AWS's compliance DOCUMENTS only (SOC, PCI, ISO, BAA). AWS Audit Manager = YOUR account's continuous compliance evidence. AWS Config = continuous configuration monitoring. Security Hub = aggregate all findings. Never confuse Artifact with a monitoring tool.
Shared Responsibility Model: AWS secures the cloud infrastructure (hardware, AZs, managed service patches). YOU secure everything you configure in the cloud (IAM, encryption choices, SGs, NACLs, OS/app patching on EC2). AWS being compliant does NOT make your workload compliant.
SCPs set the MAXIMUM permission ceiling — they never grant permissions. Both the SCP AND the IAM policy must allow an action for it to succeed. SCPs do NOT apply to the management account.
CloudTrail is the MANDATORY foundation for any compliance framework. It records all API calls (who did what, when, from where). Enable CloudTrail with log file validation, S3 MFA delete, and S3 Object Lock (WORM) for tamper-evident audit logs. Organization trails cover all accounts automatically.
Service Control Policies (SCPs) in AWS Organizations are PREVENTIVE guardrails but they do NOT grant permissions — they set the maximum permissions boundary. An SCP allowing S3 still requires an IAM policy granting S3 access. SCPs apply to all accounts in an OU EXCEPT the management account (root) — test this on exams.
AWS Audit Manager is purpose-built for CONTINUOUS AUDIT EVIDENCE COLLECTION. It maps AWS resource configurations, CloudTrail events, and Security Hub findings to specific compliance framework controls (NIST, PCI DSS, HIPAA, SOC 2, GDPR). It generates audit-ready reports — a key differentiator from Artifact (which only has AWS's reports).
Amazon Inspector v2 assesses EC2 instances and container images (ECR) for software vulnerabilities and unintended network exposure. It integrates with Security Hub. Inspector is for VULNERABILITY ASSESSMENT — not threat detection (that's GuardDuty) and not configuration compliance (that's Config).
For PCI DSS in AWS: the cardholder data environment (CDE) must be isolated (use dedicated VPC, SGs, NACLs). Enable Security Hub PCI DSS standard for automated checks. AWS is a PCI DSS Level 1 Service Provider — download the AWS Attestation of Compliance (AOC) from AWS Artifact to show auditors.
Common Mistake
If AWS is compliant with PCI DSS / HIPAA / SOC 2, then my workload running on AWS is automatically compliant too.
Correct
AWS's compliance certifications cover the AWS infrastructure and managed services — NOT your workload. You inherit the underlying infrastructure controls, but YOU are responsible for configuring your resources correctly (encryption, access controls, logging, etc.). You must implement your own controls and obtain your own certifications where required.
This is the most dangerous misconception in cloud compliance. The Shared Responsibility Model explicitly divides accountability. Exams present scenarios where a company 'uses AWS which is HIPAA compliant' and ask what ELSE must be done — the answer always involves customer-side controls like enabling encryption, signing a BAA, and restricting access.
Common Mistake
AWS Artifact monitors my AWS environment for compliance violations and alerts me when something is non-compliant.
Correct
AWS Artifact is a self-service document portal — it provides static compliance reports and agreements (SOC reports, PCI AOC, ISO certs, BAA). It has zero monitoring capability. For compliance monitoring, use AWS Config, Security Hub, and GuardDuty.
The name 'Artifact' sounds like it could be an active tool. Exams exploit this by listing it as an option for 'continuous compliance monitoring' — it is never the right answer for that use case. Remember: Artifact = Documents, Config = Monitoring, Security Hub = Aggregation.
Common Mistake
Service Control Policies (SCPs) grant permissions to accounts in AWS Organizations.
Correct
SCPs only RESTRICT permissions — they define the maximum allowable permissions ceiling. An SCP that allows all S3 actions does NOT grant S3 access; IAM policies in the account must still explicitly grant access. SCPs are filters, not grants.
This is a classic exam trap. Candidates assume that if an SCP allows an action, the principal can perform it. In reality, BOTH the SCP AND the IAM policy must allow the action (except for the management/root account). Think of SCPs as a maximum permission boundary applied at the organizational level.
Common Mistake
GuardDuty and AWS Config do the same thing — they both detect security issues.
Correct
GuardDuty is a THREAT DETECTION service that analyzes CloudTrail, VPC Flow Logs, and DNS logs using ML to identify active threats (compromised credentials, cryptomining, reconnaissance). AWS Config is a CONFIGURATION COMPLIANCE service that records resource configurations and evaluates them against rules (e.g., 'is this S3 bucket encrypted?'). They are complementary, not interchangeable.
Exams present scenarios and ask which service to use. GuardDuty = behavioral/threat anomalies (active attacks). Config = configuration drift and compliance rules (resource state). Security Hub = aggregate both. Getting these mixed up is a common failure point on SCS-C02 and SAA-C03.
Common Mistake
Enabling CloudTrail in one region covers all regions and all accounts.
Correct
By default, CloudTrail logs only the region it is enabled in. You must explicitly enable multi-region trails OR create an Organization Trail (which automatically applies to all accounts in the organization across all regions). Additionally, CloudTrail logs management events by default but does NOT log S3 object-level data events or Lambda invocations without explicit configuration.
Compliance frameworks require complete audit coverage. Exams test whether candidates know that a single-region CloudTrail trail leaves gaps. The correct answer for org-wide audit logging is always an Organization Trail with multi-region enabled, stored in a centralized S3 bucket with log file validation.
Common Mistake
AWS Control Tower is just a fancy name for AWS Organizations.
Correct
AWS Control Tower is built ON TOP of AWS Organizations and adds a pre-configured Landing Zone, pre-built guardrails (preventive SCPs + detective Config Rules), Account Factory for vending new accounts, and a compliance dashboard. Organizations is the underlying service; Control Tower is the governance layer. You can use Organizations without Control Tower, but Control Tower requires Organizations.
Exam questions about 'setting up a compliant multi-account environment quickly' or 'enforcing guardrails across new accounts automatically' point to Control Tower, not just Organizations. Confusing the two leads to selecting incomplete solutions.
ARTIFACT = 'A Report Tells Facts About Compliance To auditors' — it's a DOCUMENT, not a monitoring tool
Shared Responsibility: AWS owns the BRICK AND MORTAR (physical, hypervisor, managed services), YOU own the FURNITURE INSIDE (IAM, encryption, SGs, app config)
Config = HISTORIAN (records what happened to resources over time) | GuardDuty = DETECTIVE (spots bad actors) | Security Hub = SHERIFF'S OFFICE (aggregates all reports)
SCP CAGE: SCPs build a CAGE around account permissions — the IAM key must still open the lock inside the cage. Both must allow the action.
For HIPAA remember BAA-E: Business Associate Agreement (sign it) + Audit logs (CloudTrail) + Access controls (IAM) + Encryption (KMS) = HIPAA-ready
Assuming that because AWS holds PCI DSS, HIPAA, or SOC 2 certifications, a customer's workload on AWS is automatically compliant — exams always require the candidate to identify the ADDITIONAL customer-side controls (encryption, IAM, CloudTrail, BAA signing) needed to achieve actual compliance.
CertAI Tutor · · 2026-02-22
Key Services
Comparisons
Guides & Patterns