What Is Compliance state? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
Compliance state tells you if something is following the rules or not. Think of it as a green light when everything meets the required standards and a red light when something is out of line. IT teams check compliance state to make sure systems are secure and meet legal or company policies. If a device is out of compliance, it might be blocked from accessing company resources until it is fixed.
Common Commands & Configuration
aws configservice describe-compliance-by-config-rule --config-rule-names s3-bucket-ssl-requests-onlyThis AWS CLI command retrieves the compliance state of a specific AWS Config rule (s3-bucket-ssl-requests-only). It returns whether each resource evaluated by the rule is COMPLIANT or NON_COMPLIANT. Use it during audits or troubleshooting to check the status of a single policy enforcement.
Appears in AWS-SAA to test understanding of AWS Config's ability to report compliance state per rule. Candidates must remember that this command shows compliance at the rule level, not resource level.
az policy state list --resource-group myResourceGroup --policy-set-definition-name /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8This Azure CLI command lists the compliance state of all resources within a specific resource group against a specific policy set definition (initiative). It shows which resources are compliant, non-compliant, or exempt. Useful for generating compliance reports for a specific scope.
Frequently tested in AZ-104 and SC-900. Candidates need to know that --policy-set-definition-name requires the full path to the initiative and that the output can be filtered with --filter for specific compliance states.
Get-DeviceCompliancePolicy | Get-DeviceCompliancePolicyAssignmentThis PowerShell command (Microsoft Graph) retrieves all device compliance policies in Microsoft Intune and their assignments to user groups or device groups. It helps administrators verify that compliance policies are properly scoped to enforce the intended compliance state for managed devices.
Critical for MD-102 and MS-102. Exam questions often ask how to check if a compliance policy is assigned to the correct group, especially after deploying a new policy or troubleshooting device non-compliance.
aws configservice get-compliance-details-by-config-rule --config-rule-name required-tags --compliance-types NON_COMPLIANTThis command returns detailed compliance information for a specific AWS Config rule (required-tags) but only for resources that are NON_COMPLIANT. Use it to get a list of all resources that are out of compliance, along with the specific reasons (e.g., missing 'Environment' tag).
Tests the ability to filter compliance results efficiently. In the AWS-SAA and Security+ exams, knowing how to isolate non-compliant resources without pulling all data is a key skill for operational efficiency.
New-AzPolicyAssignment -Name 'EnforceEncryption' -PolicySetDefinitionId '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' -Scope '/subscriptions/1234-5678-90ab-...' -Location 'East US' -IdentityType 'SystemAssigned' -EnforcementMode 'Default'This PowerShell command assigns an Azure Policy initiative (set) to a subscription scope with system-assigned managed identity. The -EnforcementMode set to 'Default' means the compliance state will be actively evaluated. Use it to begin enforcing a set of compliance rules across a subscription.
Crucial for AZ-104 and SC-900. Exam questions often ask about the parameters required to assign a policy, particularly the need for -IdentityType when using 'DeployIfNotExists' effects, which need an identity to make remediation changes.
Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies?$expand=assignments'This Microsoft Graph API command retrieves all device compliance policies and their assignments in Intune using a GET request with $expand to include assignment details. It allows programmatic access to compliance state management for large-scale inventory or automated reporting.
Appears in MS-102 and MD-102 to test understanding of Graph API endpoints for compliance. The $expand parameter is a common trick in exam scenarios to ensure candidates know how to include related data in a single request.
eksctl get nodegroups --cluster my-cluster --output json | jq '.nodegroups[].nodegroupName'This command lists all node groups in an EKS cluster, which can be used to cross-check if the node group's launch template adheres to compliance policies (e.g., container runtime, IMDSv2 requirement). It indirectly checks compliance state at the infrastructure level for Kubernetes clusters on AWS.
Relevant for the AWS-SAA and Security+ when dealing with container security. The note: Compliance state in EKS also includes checking if node groups are using a specific AMI or if they have the proper IAM roles for security agent deployment.
Compliance state appears directly in 8exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Understanding compliance state is critical for several major IT certification exams, including the AWS Solutions Architect Associate (AWS-SAA), ISC2 CISSP, CompTIA Security+, CompTIA CySA+, Microsoft 365 Certified: Endpoint Administrator Associate (MD-102), Microsoft 365 Administrator Expert (MS-102), Microsoft Azure Administrator Associate (AZ-104), Microsoft Security, Compliance, and Identity Fundamentals (SC-900), and CompTIA Security+. Each exam approaches compliance state from a slightly different angle, but the core concept remains the same.
For the AWS-SAA exam, compliance state pertains to AWS Config and AWS Service Catalog. You need to understand how AWS Config rules evaluate resources and report compliance state. Questions often ask how to enforce that all S3 buckets are encrypted or that EC2 instances have specific tags. The exam expects you to know how to use AWS Config managed rules and custom rules to maintain compliance. You should also understand how to use AWS Organizations to enforce service control policies (SCPs) that prevent noncompliant resource creation across accounts.
In the ISC2 CISSP exam, compliance state falls under Domain 7: Security Operations. The CISSP examines compliance from a governance and audit perspective. You will need to understand how compliance state relates to continuous monitoring, security controls, and audit trails. Questions may present a scenario where a security control is not functioning and ask you to determine the impact on the organization's compliance state. You must also know the difference between administrative, technical, and physical controls in the context of maintaining compliance.
The CompTIA Security+ exam covers compliance state in the context of security policies, baselines, and hardening. You should be able to explain how compliance scanning tools like Nessus or OpenVAS can verify that systems comply with a security baseline. Questions might ask about the difference between a vulnerability scan and a compliance scan. You will also encounter questions about regulatory compliance frameworks like PCI DSS and HIPAA. Expect scenario-based questions where you have to identify the appropriate action to bring a system back into compliance.
The CySA+ exam goes deeper into compliance state assessment as part of the vulnerability management lifecycle. You need to know how to interpret compliance scan results and prioritize remediation. Questions may ask about the use of SCAP (Security Content Automation Protocol) or the difference between agent-based and agentless compliance scanning. You might also see questions about compliance reporting and how to present findings to management.
For Microsoft exams (MD-102, MS-102, AZ-104, SC-900), compliance state is a major theme. MD-102 focuses on Microsoft Intune device compliance policies and conditional access. You will need to know how to create, assign, and troubleshoot compliance policies for Windows, iOS, Android, and macOS devices. MS-102 covers compliance state at the Microsoft 365 tenant level, including data lifecycle management and records management. AZ-104 includes Azure Policy and Azure Blueprints for maintaining compliance of Azure resources. SC-900 provides a foundational understanding of Microsoft's compliance solutions, such as Microsoft Purview and Service Trust Portal. Expect questions that require you to configure a compliance policy for a specific scenario, like requiring device encryption for all corporate-owned devices.
Across all exams, the common thread is that compliance state is a dynamic attribute that must be actively managed. You will need to understand the tools, policies, and processes that allow organizations to maintain and prove their compliance stance. The ability to identify when a system is noncompliant and to take corrective action is a skill tested in multiple choice, scenario-based, and performance-based questions.
Simple Meaning
Imagine you are a manager at a busy restaurant. Every morning, you have a list of rules that every staff member must follow before they start their shift. They must wash their hands, wear a clean uniform, pin on their name tag, and complete a food safety quiz. You walk through the kitchen and look at each person. Is everyone checking the boxes? That is exactly what compliance state means in IT, but instead of people, it applies to computers, phones, servers, and software.
In a technical environment, compliance state is like a report card for every device or application in your network. There is a set of rules called a compliance policy. It defines what is acceptable. For example, a policy might say that every computer must have antivirus software running, the operating system must be up to date, and the hard drive must be encrypted. When a computer is checked against that policy, it either passes or fails. If it passes, its compliance state is marked as compliant. If it fails, it is noncompliant.
To help you understand, think about getting your car inspected. The state has a list of requirements: your tires must have enough tread, your brakes must work, your lights must function, and your emissions must be low. The inspection station checks your car against that list. If everything passes, your car gets a sticker showing it is compliant. If something is wrong, you get a list of things to fix before you can drive legally. Compliance state in IT works exactly like that. The policy is the list of requirements, the inspection scanner is the compliance check tool, and the result is the compliance state.
Now, why does this matter? In a company, there might be thousands of devices. You cannot inspect each one manually every day. Compliance state gives you a quick snapshot. It shows you which devices are safe and following the rules, and which ones are risky and need attention. This helps IT teams prioritize their work. They can focus on fixing the noncompliant devices first, because those are the ones that could cause a security breach or a legal problem.
Another way to think about it is like a health checkup for your computer. You might feel fine, but only a checkup reveals that your cholesterol is high or your blood pressure is too high. The checkup gives you a state of your health. In IT, a device might be working fine for the user, but its compliance state might reveal that it is missing a critical security update or that its firewall is turned off. Without checking the compliance state, you would not know there is a problem until something bad happens, like a virus infection or a data breach.
Compliance state is not just about security. It is also about legal and industry regulations. For example, if your company handles credit card payments, you must follow the Payment Card Industry Data Security Standard (PCI DSS). The compliance state of your payment processing systems tells you whether you are meeting those rules. If you are not, you could face fines or lose the ability to process credit cards. Similarly, hospitals must follow HIPAA rules to protect patient data. The compliance state of their systems helps them prove they are following the law.
compliance state is a simple but powerful concept. It is the answer to the question: "Is this system doing what it is supposed to do, according to the rules?" It turns a complex set of technical requirements into a clear yes or no status. For IT professionals, mastering compliance state is essential for keeping networks secure, meeting regulations, and avoiding costly mistakes.
Full Technical Definition
In information technology, compliance state refers to the declared or discovered posture of an endpoint, application, service, or entire infrastructure relative to one or more predefined compliance policies. These policies are typically derived from internal security baselines, industry regulations (e.g., HIPAA, PCI DSS, GDPR), government frameworks (e.g., FedRAMP, NIST SP 800-53), or vendor-specific best practices (e.g., Microsoft Security Baselines, CIS Benchmarks). Compliance state is not a static attribute; it is continuously evaluated, reported, and enforced by a variety of tools and protocols.
The core mechanism for determining compliance state involves three phases: policy definition, assessment, and reporting. First, an administrator defines a compliance policy. A policy is a set of rules, each rule specifying a condition that must be true for the target to be considered compliant. For example, a rule might require that the Windows Defender Antivirus signature version is within the last 24 hours. The rule includes a target (the antivirus software), a comparison operator (must be newer than), and a threshold value (current date minus one day). Policies can be grouped by scope, such as all workstations in the finance department, or all servers running a specific operating system version.
The assessment phase is where the actual determination of compliance state happens. Assessment can be agent-based or agentless. In agent-based assessment, a software agent is installed on the target device. This agent periodically checks the local configuration against a downloaded or cached policy. Common examples include Microsoft Intune management agents, System Center Configuration Manager (SCCM) clients, or third-party security agents like CrowdStrike. The agent evaluates each rule and reports the result back to a central management console. Agentless assessment relies on remote scanning using protocols such as SNMP, WMI (Windows Management Instrumentation), WinRM (Windows Remote Management), or SSH. Cloud management platforms like AWS Config or Azure Policy continuously evaluate resource configurations by monitoring API calls and resource state changes.
During assessment, the system computes a composite compliance state. A single device may have dozens or hundreds of rules. The overall compliance state is typically evaluated as a binary or tristate: Compliant (all applicable rules pass), Noncompliant (one or more rules fail), or Unknown (the system could not evaluate one or more rules due to connectivity issues, missing agent, or unsupported configuration). Some systems also use a percentage-based score, such as 95% compliant, which can help prioritize remediation efforts.
Reporting and enforcement are the next critical components. Reporting tools aggregate compliance state data into dashboards and alerts. In Microsoft Intune, for example, administrators can view a list of devices and their compliance state in the Microsoft Endpoint Manager admin center. Azure Policy provides a Compliance dashboard that shows resource compliance per policy initiative. AWS Config produces a compliance timeline that records state changes over time. Enforcement can be automatic or manual. Conditional access policies in Azure Active Directory (Azure AD) can block a noncompliant device from accessing corporate email or SharePoint. Network Access Control (NAC) solutions like Cisco ISE can quarantine a noncompliant endpoint on a separate VLAN until it is remediated.
A key technical detail is that compliance state is closely tied to identity and access management (IAM). In modern zero-trust architectures, a device's compliance state is a signal used to grant or deny access to resources. The trust score of a device is computed in real time, and access decisions are made based on that score combined with user identity, location, and other signals. For example, Microsoft assesses device compliance state as part of its Conditional Access policies. A user logging in from a compliant, managed device may be granted seamless access, while the same user from a noncompliant device might be prompted for additional authentication or blocked entirely.
Protocols and standards that support compliance state assessment include the Security Content Automation Protocol (SCAP) suite, which is used by US federal agencies to automate vulnerability management, measurement, and policy compliance evaluation. SCAP includes the Extensible Configuration Checklist Description Format (XCCDF) for defining security checklists, the Open Vulnerability and Assessment Language (OVAL) for specifying system state, and the Common Platform Enumeration (CPE) for naming software and hardware. The OpenSCAP tool is commonly used on Linux systems to evaluate compliance against benchmarks like the DISA STIG or CIS Benchmarks.
Real-world implementation of compliance state is handled by multiple platforms. Microsoft Intune for endpoint management, Defender for Cloud Apps for SaaS application compliance, Azure Policy for Azure resource compliance, AWS Config for AWS resource compliance, and Google Cloud's Security Command Center all provide native compliance state monitoring. On-premises tools like Microsoft SCCM, BigFix, and Tanium also provide comprehensive compliance assessment. For regulatory compliance, specialty tools like Qualys Policy Compliance and Rapid7 InsightVM map compliance results to specific regulatory frameworks.
Finally, compliance state has a temporal dimension. Some assessments are performed on a schedule (e.g., every 24 hours), while others are triggered by events such as a device joining the network, a user logging in, or a configuration change. The compliance state reported at a given moment may not reflect the current state if the system has not been reassessed since the last change. Therefore, many systems support real-time or near-real-time compliance evaluation to support just-in-time access decisions. Understanding these technical nuances is critical for IT professionals who need to architect, troubleshoot, and maintain compliant environments.
Real-Life Example
Imagine you are the owner of a small gym. You have a list of rules that every member must follow before they are allowed to use the equipment. The rules include: wear proper athletic shoes, bring a towel, sign a waiver, and complete a safety orientation. When someone walks in, you check them against this list. If they have shoes, a towel, and a signed waiver on file, and they have completed orientation, they get a green wristband and can use any equipment. If they are missing something, you give them a red wristband and tell them they can only use the cardio machines until they fix the issue. This is exactly how compliance state works in the IT world.
In our gym analogy, the gym itself is the organization. The rules are the compliance policy. The member is a device or a user. The green wristband means the member is compliant. The red wristband means they are noncompliant. The restriction to only cardio machines is like a conditional access policy that limits what a noncompliant device can access on the network.
Now, let us extend the analogy. You have hundreds of members. You cannot check each one manually every day. So, you install a self-service kiosk at the entrance. Members scan their membership card, and the kiosk checks their compliance state automatically. It checks the database to see if their waiver is up to date, if they have completed orientation, and if they checked out a towel at the front desk. If everything is good, the kiosk prints a green wristband. If not, it prints a red one and displays a message showing what is missing. This kiosk is exactly like a compliance assessment tool. It automatically checks the state of a device or user against the policy and reports the result.
Now, suppose a member named Sarah walks in. She has a green wristband from yesterday, but today she forgot her towel. She scans her card, and the kiosk sees that she did not check out a towel. It prints a red wristband. Sarah is now in a noncompliant state. In IT terms, this is a device that was compliant yesterday but today has a missing security update. The compliance state changed because the condition (having an up-to-date security patch) is no longer true. The system detects the change and updates the state.
Another important aspect is remediation. In the gym, if Sarah gets a red wristband, she can go to the front desk, grab a towel, and scan her card again. This time, the kiosk sees that she has a towel, so it prints a green wristband. She has remediated the issue. In IT, a noncompliant device can often be remediated automatically. For example, if a device is missing a security update, Microsoft Intune can force the update to install. Once the update is applied, the device reassesses and becomes compliant again.
The gym also has a strict policy for the free-weight room. Only members with a green wristband can enter. If a red-wristband member tries to enter, the door does not open, and a staff member escorts them to the cardio area. In IT, this is like a conditional access policy that blocks noncompliant devices from accessing sensitive data. For example, a user on a noncompliant device might be blocked from accessing the company's financial system.
Finally, think about compliance state for the gym itself. The gym must follow fire safety regulations and health codes. An inspector shows up every year and checks things like fire extinguishers, exit signs, and cleanliness. This is like a regulatory compliance audit for an IT system. The gym's compliance state relative to the fire code is either pass or fail. If it fails, the gym could be fined or shut down. Similarly, if an IT system fails a PCI DSS compliance check, the company can be fined or lose its ability to process credit card payments.
compliance state is a simple yet powerful concept that determines whether a person, device, or system is following the rules. It drives access decisions, triggers remediation, and ensures that the organization stays secure and legally compliant.
Why This Term Matters
Compliance state matters because it directly impacts the security posture and legal standing of any organization. In today's threat landscape, attackers constantly look for weak spots. A device that is missing a security update or has antivirus disabled is an easy entry point. By continuously monitoring compliance state, IT teams can quickly identify and remediate these vulnerabilities before they are exploited. This proactive approach is far more effective than waiting for a breach to happen and then cleaning up the mess.
Beyond security, compliance state is essential for meeting regulatory and industry requirements. Regulations such as GDPR, HIPAA, PCI DSS, and SOX mandate that organizations implement specific controls and prove they are in place. Compliance state reporting provides the evidence needed for audits. Without a clear understanding of compliance state, an organization risks fines, legal action, and reputational damage. For example, a hospital that cannot demonstrate that its systems are compliant with HIPAA could face penalties of up to $50,000 per violation.
Compliance state also drives operational efficiency. When IT teams have a clear view of which devices are compliant and which are not, they can prioritize their work. Instead of manually checking every device, they can focus on the exceptions. This reduces the mean time to remediation (MTTR) and frees up IT staff to work on more strategic projects. Automated compliance enforcement reduces the burden on end users. For instance, a device that falls out of compliance can be automatically updated or blocked from accessing risky resources without the user needing to take any action.
From a business perspective, compliance state enables secure remote work and bring-your-own-device (BYOD) programs. Organizations can allow employees to use personal devices for work, but only if those devices meet minimum security requirements. The compliance state check happens before access is granted, ensuring that only healthy devices connect to corporate resources. This flexibility increases productivity while maintaining security.
compliance state is a foundational element of zero-trust security models. Zero trust assumes that no device or user is inherently trustworthy. Instead, trust is earned and continuously verified. Compliance state is one of the key signals used in that verification. A device that is compliant is considered more trustworthy than one that is not. By integrating compliance state into access decisions, organizations can implement least-privilege access and reduce the blast radius of a potential breach.
How It Appears in Exam Questions
Exam questions about compliance state typically follow one of several patterns: scenario-based, policy definition, remediation selection, and tool identification. In scenario-based questions, you are given a description of an organization's environment and asked to determine the compliance state of a device or resource based on a set of conditions. For example, a question might describe a user's laptop that is missing the latest Windows security update and has its firewall turned off. The policy requires that all devices have the latest updates and an enabled firewall. The question asks: what is the compliance state of the device? The answer would be noncompliant, because at least one condition (actually two) is not met.
Another common pattern involves conditional access. For example, a question might state that a user is trying to access corporate email from a personal iPhone that is not enrolled in Intune and does not have a passcode set. The conditional access policy requires that devices be marked as compliant before accessing email. The question asks: will the user be granted access? The answer is no, because the device's compliance state is noncompliant, and the conditional access policy blocks access. This type of question tests your understanding of how compliance state acts as a gate for access.
Policy definition questions require you to design a compliance policy for a specific requirement. For instance, you might be asked: a company needs to ensure that all Windows 11 devices have BitLocker enabled and the Windows Defender antivirus is active. Which compliance policy settings should you configure? You would need to select the specific options related to device encryption and antivirus status. Some exams, like MD-102, present this as a drag-and-drop or multiple-select question where you choose the correct policy actions.
Remediation selection questions present a noncompliant device and ask what action should be taken to bring it back into compliance. For example, a device is noncompliant because it is missing a critical security update. The question asks: which action should be taken first? The correct answer might be to deploy the missing update using a patch management tool or to enable automatic updates. Another variation might involve a device that is noncompliant because the user has disabled Location Services, which is required for a compliance policy in a specific industry. The remediation might be to notify the user to enable the service or to apply a configuration profile.
Tool identification questions ask you to name the correct tool or service for a given compliance state scenario. For AWS, you might be asked: which AWS service can be used to evaluate the compliance of EC2 instances against a security baseline? The answer would be AWS Config. For Microsoft, you might be asked: which Microsoft 365 admin center shows the compliance state of devices enrolled in Intune? The answer would be Microsoft Endpoint Manager admin center. Some questions ask about APIs or command-line tools, such as using PowerShell to query compliance state from Azure AD.
Finally, there are troubleshooting questions. For example, a device is showing as noncompliant even though the user says they have the required antivirus installed. You are asked to determine why the compliance state is incorrect. Possible reasons include that the compliance policy uses a different antivirus product than the one installed, the antivirus signature is outdated, the compliance agent has not reported recently, or the device is not enrolled in the management system. These questions test your ability to diagnose discrepancies between expected and actual compliance state.
To prepare for these question types, you should practice interpreting compliance policy rules and mapping them to real-world configurations. Understanding the relationship between compliance state identity, conditional access, and remediation workflows is essential for passing modern IT certification exams.
Practise Compliance state Questions
Test your understanding with exam-style practice questions.
Example Scenario
Contoso Pharmaceuticals is a mid-size company with 500 employees. They handle sensitive patient data and must comply with HIPAA regulations. The IT department has defined a compliance policy for all company-issued Windows laptops used by researchers. The policy includes three rules: the device must have full disk encryption (BitLocker) enabled, the device must have the latest Windows security updates installed (released within the last 30 days), and the device must have an active endpoint protection service (Microsoft Defender for Endpoint) running.
One morning, a researcher named Dr. Allen logs into her laptop. She is about to access a database containing clinical trial results. The laptop is enrolled in Microsoft Intune. Before granting access to the database, the conditional access policy in Azure AD checks the compliance state of Dr. Allen's device. The Intune agent on her laptop reports the following current state: BitLocker is enabled, Windows security updates are up to date (last installed two weeks ago), but Microsoft Defender for Endpoint is not running because Dr. Allen accidentally disabled it while troubleshooting a performance issue.
The compliance policy evaluation engine compares the reported state against the policy rules. Rule one (BitLocker) passes. Rule two (security updates) passes. Rule three (Defender for Endpoint) fails. Because at least one rule fails, the overall compliance state of the device is set to Noncompliant.
When the conditional access policy evaluates Dr. Allen's access request, it sees the noncompliant state. According to the policy, access to the clinical database is blocked for noncompliant devices. Dr. Allen is not able to open the database. Instead, she sees an error message informing her that her device does not meet security requirements and that she should contact IT support.
The IT helpdesk receives an automatic alert from Intune about Dr. Allen's noncompliant device. A technician remotely connects to her laptop, re-enables Microsoft Defender for Endpoint, and confirms it is running and reporting correctly. The technician then triggers a reassessment of the compliance policy. This time, all three rules pass. The compliance state changes to Compliant. Dr. Allen locks and reopens her laptop, and now she can access the clinical database without any issues.
This scenario illustrates how compliance state directly affects user productivity and security. The automated check prevented a potential data breach by blocking access from a device that lacked active endpoint protection. It also demonstrates the remediation workflow, where the noncompliant status triggered a support ticket, which led to the issue being fixed quickly.
Common Mistakes
Assuming compliance state is binary (compliant or not) without considering unknown status
Many tools report an 'Unknown' compliance state when a device cannot be assessed due to missing agent, network issues, or unsupported OS version. Treating unknown as compliant can leave a security gap.
Always treat unknown as potentially noncompliant. Investigate the cause of unknown status and ensure the device can be fully assessed.
Thinking that once a device is compliant it stays compliant forever
Compliance state is dynamic. A device can become noncompliant if a security update is released and not installed, if a user disables a service, or if a certificate expires. Relying on a past compliance check is risky.
Implement periodic automatic reassessment (e.g., every 24 hours) and real-time event-driven checks to keep compliance state current.
Believing that user-reported compliance is sufficient
Users may disable security features for convenience, forget to install updates, or misreport the state of their device. Manual reporting is unreliable and can lead to security gaps.
Use automated, agent-based or agentless compliance scanning tools that directly read the device configuration rather than relying on user input.
Setting compliance policies that are too strict or too lenient without business context
Overly strict policies can block legitimate users and devices, hurting productivity. Overly lenient policies may leave the organization vulnerable. A policy that requires the latest feature update on day one may break critical legacy applications.
Balance security requirements with operational needs. Use pilot groups to test policies before broad deployment, and include grace periods for updates where appropriate.
Confusing compliance state with vulnerability state
A device can be fully compliant (meeting all policy rules) but still have vulnerabilities that are not covered by the policy. For example, a compliance policy may require antivirus to be running, but not specify that it blocks a specific exploit. Vulnerability scans and compliance scans are different.
Use both compliance state assessments and vulnerability scans. Compliance tells you if the device follows the rules, while vulnerability scans tell you if there are known exploitable weaknesses. Both are needed for a full security picture.
Forgetting that compliance state may have different meanings in different contexts (device vs. resource vs. user)
In Azure Policy, compliance state applies to an Azure resource like a storage account. In Intune, it applies to a device. In a conditional access policy, it might apply to a user's sign-in. Mixing these contexts can lead to incorrect troubleshooting.
Always clarify the scope: are you checking compliance of a device, an Azure resource, a user account, or a service? Use the appropriate tool for each scope.
Assuming all compliance policies are based on the same set of rules
Different departments or regulatory frameworks may have different requirements. A compliance policy for a PCI-DSS environment is much stricter than for a general office. Applying a single policy everywhere may cause false positives or miss critical controls.
Design multiple compliance policies tailored to the sensitivity of the data and the applicable regulations. Use Azure Policy management groups or Intune scope tags to assign the right policy to the right group.
Exam Trap — Don't Get Fooled
{"trap":"A question describes a device that passes all compliance policy checks but still has a known vulnerability that is actively being exploited. The question asks if the device is compliant. Many learners click 'No' because the device is vulnerable."
,"why_learners_choose_it":"Learners often equate 'secure' with 'compliant'. If a device is vulnerable, they assume it cannot be compliant. They forget that compliance is about meeting a specific set of rules, not about being invulnerable."
,"how_to_avoid_it":"Stick to the definition: compliance state is determined by whether the device meets the rules in the compliance policy. If the policy does not include a rule about that specific vulnerability, the device can still be compliant even if it is vulnerable. Always read the question carefully and identify what rules are part of the policy, not what the device's overall security posture is."
Commonly Confused With
A compliance policy is the set of rules and conditions that define what is acceptable. Compliance state is the result of evaluating a system against those rules. The policy is the blueprint; the state is the report card. For example, a compliance policy might require encryption. The compliance state of a device tells you whether encryption is enabled or not.
A school has a rule that students must wear a uniform. That rule is the compliance policy. Whether a specific student is wearing the uniform correctly is their compliance state.
Conditional access is a mechanism that uses compliance state as one of several signals to decide whether to grant or deny access to a resource. Compliance state is the input; conditional access is the action. A device being noncompliant does not automatically block access-that behavior is defined by a conditional access policy.
A nightclub has a policy that only people over 21 can enter. Checking an ID determines a person's age (compliance state). The bouncer then uses that information to let them in or not (conditional access).
Endpoint security posture is a broader concept that includes compliance state but also includes factors such as threat intelligence, user behavior, and real-time threat detection. Compliance state is just one component of the overall posture. A device can be compliant but have a poor security posture if it is actively under attack.
A person can be following all the safety rules at a construction site (compliant) but still be at risk if a crane is swinging overhead. The overall safety posture is worse than just the compliance state suggests.
A CMDB stores the desired and actual configuration of all IT assets, including compliance-related parameters. Compliance state is a dynamic attribute derived from comparing the CMDB's actual state to the desired state. The CMDB is the database; compliance state is a report generated from that database.
Think of a library catalog (CMDB) that lists every book and its location. A compliance check would compare whether each book is actually in its assigned spot. The result (correct or incorrect) is the compliance state of the library's organization.
An audit trail is a record of who did what and when over time. Compliance state is a snapshot at a moment in time. An audit trail can show how compliance state changed, but it is not itself the state. For example, an audit log might show that a device became noncompliant at 3:00 PM because a user disabled antivirus.
A driving record (audit trail) shows a history of speeding tickets. The current compliance state of the driver is whether their license is currently valid.
A security baseline is a predefined set of secure configuration settings, often used as the standard for compliance policies. The baseline is the benchmark. Compliance state tells you how close a system is to that benchmark. A baseline might say 'require 14-character passwords.' A system that has 12-character passwords is noncompliant relative to that baseline.
A recipe (security baseline) tells you the exact ingredients for a cake. The compliance state is whether the cake you baked contains all those ingredients.
Core Definition and Purpose of Compliance State in Cloud Security
In modern cloud and application security, the term "Compliance state" refers to the real-time or historical evaluation of an organization's infrastructure, configurations, and data handling against a defined set of regulatory or internal policy standards. These standards may originate from frameworks such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR), the Federal Risk and Authorization Management Program (FedRAMP), or industry-specific baselines like the Center for Internet Security (CIS) benchmarks. The compliance state is dynamic; it changes as resources are created, modified, or deleted, and as threat intelligence or regulatory requirements evolve.
For IT professionals and security architects, understanding the compliance state involves monitoring the alignment of every cloud resource with the required controls. This includes checking encryption settings, network access rules, logging configurations, identity and access management policies, and software patch levels. Tools like AWS Config, Azure Policy, and third-party compliance scanners continuously evaluate resources and report a compliance state that is often represented as "Compliant," "Non-compliant," or "Unknown." The term is central to exams such as the AWS Certified Solutions Architect – Associate (AWS-SAA), where candidates must design architectures that maintain compliance state through automated remediation. Similarly, for the Certified Information Systems Security Professional (ISC2 CISSP), the compliance state is a key concept in the domain of Security and Risk Management, as it directly ties to the organization's governance and continuous monitoring obligations.
A compliant state is not a one-time achievement but requires ongoing validation. For example, in the CompTIA Security+ (SY0-601) and CySA+ (CS0-002) exams, candidates learn about continuous monitoring and the importance of establishing a baseline for compliance. The compliance state is often checked via audit logs and configuration management databases (CMDBs). In Microsoft exams like MD-102, MS-102, AZ-104, and SC-900, the compliance state is evaluated through Microsoft Defender for Cloud, Microsoft Purview Compliance Manager, and Azure Policy. These platforms generate compliance scores and detailed reports that highlight gaps, such as unpatched vulnerabilities or misconfigured storage accounts. Understanding how to interpret these scores and transition resources from non-compliant to compliant is a critical skill assessed across all these certifications.
the compliance state has significant financial and operational implications. A non-compliant state can lead to fines, legal penalties, and reputational damage. It can also trigger security incidents, as misconfigurations often create attack surfaces. Therefore, remediation actions-such as enforcing encryption at rest and in transit, enabling multi-factor authentication, and restricting public access to storage-are designed to return the system to a compliant state. Automated corrective actions, like AWS Config rules that automatically remediate non-compliant resources using Systems Manager Automation, are essential for maintaining a continuous compliant state without manual intervention.
Finally, the compliance state is often visualized in dashboards. These dashboards aggregate data from multiple accounts or subscriptions, providing a top-down view of organizational compliance. CISSP candidates must be able to recommend appropriate remediation strategies based on the severity of non-compliance, while Azure or AWS architects need to configure policies that enforce compliance at scale. The compliance state is, therefore, a cross-cutting concept that bridges technical implementation, regulatory requirements, and continuous security monitoring. It is the primary metric by which an organization validates its adherence to promised security postures to customers, auditors, and regulators.
Enforcement Mechanisms for Maintaining Compliance State
Enforcing a desired compliance state in cloud environments involves a combination of preventive, detective, and corrective controls. Preventive controls are designed to stop resources from being provisioned if they do not meet the required compliance state. For example, in Microsoft Azure, Azure Policy can enforce that all storage accounts must have encryption enabled by denying creation of any storage account without that setting. Similarly, AWS Service Control Policies (SCPs) can restrict account-level actions to ensure compliance with organizational standards. These controls act as gatekeepers, ensuring that infrastructure is born compliant, which significantly reduces the remediation burden later.
Detective controls focus on identifying resources that have drifted from the desired compliance state. Tools like AWS Config, Azure Policy's audit effect, and Google Cloud's Asset Inventory continuously evaluate the configuration of all resources and compare them to the defined policies. When a resource becomes non-compliant, these tools generate alerts and log the event. For instance, if a security group rule is modified to allow SSH access from the internet (0.0.0.0/0), AWS Config detects that change and flags the security group as non-compliant. In the context of exams like CySA+ and Security+, understanding how to interpret these alerts and prioritize remediation based on risk is essential.
Corrective controls are the third pillar. They automatically address non-compliance without human intervention. AWS provides the capability to attach automated remediation actions to AWS Config rules. For example, if an S3 bucket is found to have public read access, AWS Config can invoke an AWS Lambda function to remove the public ACL and revert the bucket to a compliant state. In Azure, the "DeployIfNotExists" policy effect can automatically deploy required agents or settings to resources that are missing them. Microsoft Intune, covered in MD-102 and MS-102, can enforce compliance policies on mobile devices, automatically blocking or wiping devices that fall out of compliance. These automated remediation mechanisms are a favorite topic in exam questions because they demonstrate an understanding of operational excellence and security automation.
Another critical enforcement mechanism is the use of compliance frameworks and scoring. Microsoft Purview Compliance Manager, for instance, provides a compliance score based on how many controls are satisfied across various regulations (e.g., GDPR, ISO 27001). Admins can track their compliance state over time and get recommendations for improvements. On the AWS side, AWS Audit Manager helps continuously audit usage to simplify compliance assessment. For the ISC2 CISSP exam, understanding the difference between preventive, detective, and corrective controls as they relate to compliance state is fundamental. The exam may ask which control type is most appropriate for a specific scenario, such as ensuring that all database snapshots are encrypted.
In multi-cloud or hybrid environments, maintaining a unified compliance state becomes challenging. This is where third-party tools like Prisma Cloud or Qualys can aggregate compliance data across AWS, Azure, and on-premises systems. These tools perform automated checks against CIS benchmarks and NIST frameworks, providing a single pane of glass for compliance state. As organizations adopt DevSecOps, compliance-as-code becomes a method to enforce compliance state in CI/CD pipelines. Using tools like Chef InSpec or OpenPolicyAgent, security policies are embedded into the development pipeline, blocking deployments that would create non-compliant resources. This proactive approach ensures that compliance state is not an afterthought but is built into the application lifecycle. Understanding these enforcement mechanisms is crucial for all the listed exams, as cloud security architects must design systems that can automatically detect and correct drift while still allowing agility for developers.
Compliance State Monitoring and Reporting Strategies
Effective monitoring of compliance state requires both real-time visibility and historical reporting. Real-time monitoring is typically achieved through event-driven alerts. For example, when a resource changes configuration, a cloud monitoring service like Amazon CloudWatch Events or Azure Event Grid triggers a notification. This event can be consumed by a security information and event management (SIEM) system or a custom dashboard to update the compliance state within minutes. In the CySA+ and Security+ exams, candidates learn about the importance of log aggregation and correlation to detect non-compliant actions. These alerts are often categorized by severity and mapped to specific compliance controls, enabling rapid response.
Historical reporting is equally important for audits. Compliance state reports are usually generated on a regular basis (daily, weekly, or monthly) and stored for retention periods required by regulations. Tools like AWS Config aggregated view allow administrators to view the compliance state of all resources across an entire organization. Similarly, Azure Resource Graph provides a powerful query interface to run compliance checks across multiple subscriptions. These reports typically show the percentage of resources that are compliant, non-compliant, or excluded. They often break down non-compliance by specific policy-for instance, showing that 15% of EC2 instances do not have encryption at rest enabled. This granularity is essential for prioritizing remediation efforts.
Automated reporting, such as scheduled compliance reports sent via email to compliance officers, is a common requirement. AWS Config can deliver configuration snapshots and compliance snapshots to an S3 bucket, which can then be analyzed with Amazon Athena. In Azure, compliance reports can be exported from Microsoft Defender for Cloud or Purview Compliance Manager in formats such as CSV, PDF, or JSON. This is especially relevant for the MS-102 and SC-900 exams, which focus on managing compliance in Microsoft 365 and Azure environments. The compliance state reports must capture not only the current state but also changes over time, providing a compliance history that demonstrates due diligence during an audit.
Another important aspect is the integration of compliance state monitoring with ticketing systems. For example, a non-compliant finding in AWS Console can automatically create a Jira ticket or a ServiceNow incident. This workflow ensures that non-compliance is not just noted but is assigned to the appropriate team for resolution. CISSP exams often test the concept of "continuous monitoring" as part of the security operations domain. This involves the ongoing collection of data to determine if the compliance state is maintained. In practical terms, this means deploying agents on servers to check for missing patches, using cloud security posture management (CSPM) tools to evaluate cloud configurations, and running vulnerability scans on a recurring basis.
For complex environments, visualization tools like Power BI or Grafana can be used to create dashboards that show compliance state trends. An upward trend in compliance scores indicates successful remediation efforts, while a downward trend signals potential issues that need attention. In an exam context, questions might ask how to configure a recurring compliance report that includes specific controls from the PCI DSS framework. The correct answer often involves using a combination of automated assessment tools and scheduled export functions. Exam questions may present scenarios where a resource is reported as non-compliant, and the candidate must determine whether this is due to a policy misconfiguration, a recent change, or a lack of proper remediation actions. Understanding these monitoring and reporting strategies enables administrators to stay ahead of compliance issues and maintain a strong security posture.
Automated Remediation to Restore Compliance State
Automated remediation is the process of automatically correcting non-compliant resources without human intervention. This is a critical capability for maintaining a consistent compliance state at scale, especially in large enterprises or environments with many DevOps teams. Without automation, non-compliant configurations can persist for hours or even days, increasing security risk. AWS Config rules, for example, can be associated with remediation actions that use AWS Systems Manager Automation documents. If a rule detects that an Amazon EC2 instance is not associated with a specific security group, the Automation document can automatically change the instance's security group association to a compliant one. This approach is central to the AWS-SAA exam, where candidates must design architectures that can automatically respond to configuration drift.
In Azure, the remediation strategy is often built into Azure Policy. The "Modify" effect and "DeployIfNotExists" effect allow policies to automatically correct misconfigurations. For instance, if a policy requires that all virtual machines have the Azure Monitor agent installed, the DeployIfNotExists effect will automatically install the agent on any VM that does not have it. Microsoft Intune, as tested in MD-102 and MS-102, can enforce compliance policies on devices, such as requiring a PIN or encryption. If a device becomes non-compliant, Intune can automatically block it from accessing corporate resources or even remote-wipe the device to protect data. These automated enforcement actions are heavily tested because they tie together policy definition, detection, and correction.
Automated remediation can also be triggered by custom scripts or serverless functions. For example, a Lambda function can be subscribed to an S3 bucket's event notifications. If an object is uploaded without encryption, the Lambda function can re-encrypt the object or move it to a quarantine bucket. Similarly, in the context of container security, a Kubernetes admission controller can check compliance policies (e.g., "containers must run as non-root") and block or modify the pod creation request to ensure compliance state. The CySA+ and Security+ exams emphasize the need to use automation to reduce manual effort and human error, both of which are leading causes of non-compliance.
However, automated remediation must be carefully designed to avoid unintended consequences. For example, automatically removing a public IP from an EC2 instance might break an application that was legitimately meant to be public-facing. Therefore, automated remediation should be paired with exception handling and notification workflows. A best practice is to first apply the remediation to a subset of non-compliant resources (a "canary" approach) and then roll out to all resources after validation. In the CISSP exam, candidates learn about the concept of "fail-safe" and the importance of having a rollback plan. Similarly, questions in the SC-900 exam may ask about the trade-offs between full automation and manual approval for high-risk changes.
Another automation strategy is compliance-as-code. Using tools like Terraform, CloudFormation, or Azure Resource Manager templates, infrastructure can be provisioned with compliance baked in. These templates can be version-controlled and peer-reviewed, ensuring that the compliance state is defined in the source code before any resources are created. When drift occurs, tools like Terraform's "plan" can detect differences and propose corrections. This is a powerful concept for DevSecOps and is covered across multiple certifications. Ultimately, automated remediation is not just about fixing problems-it's about creating a system that continuously self-heals to maintain a desired compliance state. This reduces the operational burden on security teams and allows them to focus on more strategic tasks. In exams, candidates are often asked to identify the correct sequence of steps to implement automated remediation or to choose between options for handling a non-compliant resource in a way that balances security and availability.
Troubleshooting Clues
Resource shows as 'Non-Compliant' in AWS Config but no changes were made
Symptom: AWS Config rule changes from COMPLIANT to NON_COMPLIANT without any modifications by the administrator. Reports might list a resource like an S3 bucket or EC2 instance as out of compliance unexpectedly.
This often occurs because a dependent resource changed. For example, if an AWS Config rule checks that S3 buckets have default encryption enabled, and a KMS key used by the bucket is deleted or disabled, the bucket's encryption will fail, causing non-compliance. Similarly, a change in an AWS Managed Config rule (e.g., a new version of the rule) might introduce stricter checks. The compliance state can also change if the resource was already non-compliant but was not previously evaluated due to a data gap.
Exam clue: In AWS-SAA and Security+ exams, this exact scenario is used to test whether candidates understand that compliance state can change due to external dependencies, not just direct resource modifications. They must consider evaluating all linked resources.
Azure Policy reports 'Non-Compliant' but resource configuration appears correct
Symptom: After reviewing a VM or storage account in Azure Portal, the settings seem to match the policy requirements, but the compliance state shows NON_COMPLIANT under Azure Policy. The resource might have been compliant previously.
Azure Policy evaluates the resource's current state against the policy definition in real-time. False non-compliance can happen if the policy audits a property that is not immediately visible in the portal (e.g., tags at a different scope or inherited settings). Another common cause is that the policy evaluation has not finished its full cycle-Azure Policy evaluates new or updated resources within minutes, but sometimes manual intervention like a missing managed identity for 'DeployIfNotExists' effects can cause non-compliance even if it looks correct. If the policy uses 'aliases', the property might be nested and not visible in basic views.
Exam clue: This issue is commonly tested in AZ-104 and SC-900. Exam questions may present a scenario where an admin sees 'NON_COMPLIANT' but the resource seems fine, and the correct answer involves checking the policy definition details, using 'az policy state list' with expand=policyAssignment, or verifying the alias path used in the policy rule.
Intune device shows as non-compliant despite meeting all defined policies
Symptom: A Windows 10 device or mobile device is marked as 'Not Compliant' in Microsoft Endpoint Manager (Intune), even though the admin has verified that the device has the required OS version, BitLocker enabled, and passcode set.
Intune compliance policies can check much more than local device settings. They also check for jailbreak/root status, threat levels from integrated threat protection (e.g., Microsoft Defender for Endpoint), and certificate validity. If the device cannot communicate with Intune (e.g., network connectivity issues) or if the compliance policy has not been updated on the device since it was last evaluated, the state can be stale. Another possibility is that the device lost its MDM enrollment due to certificate expiration, which automatically sets the compliance state to 'Not Evaluated' or 'Non-Compliant' depending on the policy's grace period.
Exam clue: This is a favorite in MD-102 and MS-102. Exam questions ask to identify why a device with correct local settings would show non-compliant. The answer often points to missing network connectivity to Intune services or an expired device enrollment token. They test the understanding that compliance state in Intune is a combination of device health, policy assignment, and enrollment status.
Compliance score in Microsoft Purview Compliance Manager decreases without any new policy changes
Symptom: The compliance score drops from 85% to 78% overnight. No new regulatory changes were announced, and no administrative actions were taken that would affect compliance.
Microsoft Purview Compliance Manager's score is affected by continuous assessments from Microsoft Defender for Cloud, Microsoft 365 security center, and other data sources. A single newly found vulnerability (e.g., a CVE affecting a software component in your tenant) can reduce the score because it indicates a gap in a control. If a previously satisfied control action expires (e.g., a data retention policy ran out), the control becomes unfulfilled, reducing the score. Cloud apps discovered by Microsoft Defender for Cloud Apps that are not compliant with your data loss prevention policies can also cause score drops.
Exam clue: Tested in MS-102 and SC-900. Exam scenarios will often describe a mysterious score drop and ask which log or report to check first. The correct answer usually involves reviewing 'Microsoft Defender for Cloud Security Score' or 'Compliance Manager assessment updates' to find new vulnerabilities or expired control actions.
AWS Config aggregated compliance shows discrepancy between individual account and organization view
Symptom: An AWS Config aggregator dashboard shows different compliance percentages for the same rule across accounts compared to what is seen in the individual account's AWS Config console. For example, a rule shows 80% compliant in one account but 90% in the aggregator.
AWS Config aggregated view uses a separate evaluation process that may include resources from different regions or accounts that are not being evaluated in the same way. This can happen if the aggregator has a different set of organizational rules or if some accounts have disabled the config recorder for certain resource types. Another reason is that the aggregation query might be retrieving data from a different snapshot time, causing temporal differences. Also, if the 'aggregator' has not yet been updated with the latest evaluations from all accounts, it may show stale data.
Exam clue: For AWS-SAA, this issue is used to test understanding of AWS Config aggregator limitations. Exam questions ask how to ensure consistency: the answer involves checking that all accounts have the same config recorder settings and that the aggregator is set to use the latest snapshot with a defined frequency, or to use 'describe-compliance-by-config-rule' directly per account.
Azure Policy compliance state stuck on 'Not Started' or 'Unknown' for new resources
Symptom: After deploying a new VM or storage account, Azure Policy shows the compliance state as 'Not Started' or 'Unknown', even after several hours. The resource appears in the policy compliance view but does not get evaluated.
Azure Policy evaluates new resources usually within a few minutes, but if the policy assignment's scope does not include the new resource's location or resource group, or if the resource type is not in the policy definition's resource type list, it will remain 'Not Started'. Another reason: the Azure Policy evaluation engine may be delayed due to high demand or a pending update. If the resource is in a subscription that has been moved or failed to register with the Azure Policy resource provider (Microsoft.PolicyInsights), the evaluation will not occur. Also, if the policy uses a 'DeployIfNotExists' effect, the evaluation may require a managed identity that was not properly assigned.
Exam clue: This is a classic AZ-104 and SC-900 trick question. The correct troubleshooting step is to verify the resource type is included in the policy definition, check the resource provider registration for Microsoft.PolicyInsights, and ensure the policy assignment is scoped to include the resource's location. Exam questions often present this as a scenario where the admin has to re-register the resource provider.
Device compliance state in Intune flips between 'Compliant' and 'Non-Compliant' frequently
Symptom: A device's compliance status changes multiple times within a day without any user or admin actions. For example, it is compliant in the morning, non-compliant at noon, then compliant again by evening.
This often indicates that the device is enrolled with multiple compliance policies that have overlapping or conflicting settings. For example, one policy requires a PIN of 6 characters, and another requires 8 characters. The device might comply with one policy assessment but fail the other, causing the aggregated state to fluctuate. It can also be due to intermittent network connectivity: the device fails to check in with Intune for compliance evaluation at a specific time, so the last known state is marked non-compliant until the next successful check-in. Another cause: if the compliance policy is set to evaluate based on a third-party threat agent (like a mobile threat defense partner), and that agent reports sporadic findings, the state will toggle.
Exam clue: For MD-102 and MS-102, exams ask how to resolve this: merge overlapping policies into one or review the compliance policy's 'Noncompliance period' setting. Also, they test the understanding that multiple compliance policies on a device are evaluated together and the device is only compliant if it meets all policies. Frequency of check-ins can be adjusted in policy settings.
Learn This Topic Fully
This glossary page explains what Compliance state means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SY0-701CompTIA Security+ →SAA-C03SAA-C03 →220-1102CompTIA A+ Core 2 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
An app protection policy is a set of rules that controls how data is handled and secured within mobile applications, ensuring corporate information stays safe even on personal devices.
Application deployment is the process of making a software application available for use, typically by installing, configuring, and activating it on target devices or servers.
Attack surface reduction is a set of security practices that minimizes the number of ways an attacker can access or exploit a system by removing unnecessary features, locking down configurations, and controlling software behavior.
Conditional access is a security framework that evaluates signals like user location, device health, and risk level to grant or block access to resources in real time.
Device risk is the chance that a computer, phone, or other endpoint could cause a security problem or data leak because it is not properly managed or protected.
Endpoint Detection and Response (EDR) is a cybersecurity technology that continuously monitors endpoint devices to detect, investigate, and respond to advanced threats.
Quick Knowledge Check
1.An AWS Config rule that checks whether S3 buckets have versioning enabled has been evaluating resources for months. Suddenly, a bucket that was always compliant shows as non-compliant. No changes were made to the bucket or the rule. What is the most likely cause?
2.An Azure subscription has a policy assignment that requires all storage accounts to have 'Secure transfer required' set to 'Enabled'. A storage account is found to be non-compliant, but the admin reviews the Azure Portal and sees that 'Secure transfer required' is indeed set to 'Enabled'. What should the admin check next?
3.An organization uses Microsoft Intune to manage laptops. A user's device shows 'Non-Compliant' despite meeting all compliance policy settings (OS version, encryption, firewall). The device has full internet connectivity. What is the most likely issue?
4.An organization notices that their Microsoft Purview Compliance Manager score dropped from 90 to 85. They have not changed any policies or settings. Which of the following is the most likely explanation?
5.An AWS Config aggregated compliance view shows that 95% of resources are compliant in account A, but when logging directly into account A and checking the same rule, it shows 90% compliant. What is the most likely cause of this discrepancy?