This chapter covers AWS Cloud Compliance Overview, a key topic under Cloud Concepts (Domain 1) for the CLF-C02 exam. Compliance on AWS is about understanding how AWS helps you meet regulatory, legal, and industry standards (like GDPR, HIPAA, PCI-DSS) through its shared responsibility model, compliance certifications, and governance tools. This objective carries approximately 10-15% weight in the exam. You will learn the compliance frameworks AWS supports, the tools to audit and monitor compliance (AWS Config, AWS CloudTrail, AWS Artifact), and how to interpret compliance reports. Real-world scenarios often test your ability to distinguish between AWS's responsibilities and your own.
Jump to a section
Imagine you run a small business and store valuable documents—contracts, financial records, employee data—in a bank's safety deposit box. The bank provides a secure vault with 24/7 surveillance, biometric access logs, and compliance with financial regulations (like SOX or PCI-DSS). You don't build the vault; you rent the box. The bank ensures that only authorized personnel (you and your designated delegates) can access the box, and every access is recorded. If an auditor asks who accessed the box and when, the bank gives you a detailed log. The bank also undergoes annual audits by external firms to certify that its security controls meet industry standards. In this analogy, the bank is AWS, the vault is its global infrastructure, the safety deposit box is your AWS account (or a specific service like S3 with compliance features), and the audit logs are AWS CloudTrail. The key point: AWS is responsible for the security OF the cloud (the vault's walls, locks, cameras), while you are responsible for security IN the cloud (what you put in the box, who you give keys to). Compliance certifications (like ISO 27001, SOC 2) are like the bank's annual audit reports—you can share them with your own auditors to prove the vault is trustworthy. This shared responsibility model is the foundation of AWS compliance.
What Is AWS Cloud Compliance and Why It Matters
Cloud compliance refers to adhering to laws, regulations, standards, and internal policies when using cloud services. For businesses, non-compliance can result in fines, legal action, loss of customer trust, and even criminal liability. On AWS, compliance is a shared responsibility: AWS is responsible for the security OF the cloud (e.g., physical data centers, hardware, network infrastructure) and provides compliance certifications for those components. Customers are responsible for security IN the cloud (e.g., configuring services, managing access, encrypting data).
The Shared Responsibility Model in Detail
AWS defines the shared responsibility model as follows: - AWS Responsibility: Protect the infrastructure that runs all AWS services. This includes hardware, software, networking, and facilities. AWS also maintains compliance certifications (e.g., SOC 1/2/3, ISO 27001, PCI DSS Level 1) for its data centers and services. - Customer Responsibility: Depends on the services chosen. For Infrastructure as a Service (IaaS) like EC2, you manage the guest OS, firewall, data encryption, and IAM. For Platform as a Service (PaaS) like RDS, AWS manages the OS and database engine, but you still control data, user access, and encryption settings. For Software as a Service (SaaS) like Amazon WorkDocs, AWS handles most security, but you manage user identities and data classification.
AWS Compliance Programs and Certifications
AWS engages with external auditors and certifying bodies to obtain compliance certifications. Key programs include:
SOC (Service Organization Controls): SOC 1 (financial reporting), SOC 2 (security, availability, processing integrity, confidentiality, privacy), SOC 3 (public report).
ISO 27001: Information security management standard.
PCI DSS Level 1: Payment card industry data security standard for handling credit card data.
HIPAA BAA: Business Associate Agreement for healthcare data.
FedRAMP: For US federal agencies.
GDPR: AWS provides data processing agreements and tools for data protection.
AWS Artifact: Accessing Compliance Reports
AWS Artifact is a self-service portal where you can download AWS compliance reports (e.g., SOC reports, PCI reports) and accept agreements (e.g., HIPAA BAA). It provides on-demand access to over 3,000 compliance documents. You can use these reports to demonstrate to your auditors that AWS meets its compliance obligations.
AWS Config: Monitoring Compliance
AWS Config is a service that evaluates your AWS resource configurations against desired policies. For example, you can create a rule that checks whether S3 buckets have public access blocked. AWS Config continuously monitors and records changes, and you can set up automatic remediation (e.g., using AWS Config Rules with AWS Lambda to fix non-compliant resources). It provides a compliance score and history of configuration changes.
AWS CloudTrail: Auditing API Activity
AWS CloudTrail records all API calls made in your account, including the caller identity, time, source IP, and request parameters. It is enabled by default and stores events for 90 days in the event history. For longer retention, you can create a trail to deliver logs to an S3 bucket. CloudTrail is essential for compliance audits and security investigations.
AWS Audit Manager: Automating Evidence Collection
AWS Audit Manager helps you continuously audit your AWS usage to assess risk and compliance. It pre-builds frameworks for standards like SOC 2, PCI DSS, and HIPAA, and automatically collects evidence (e.g., IAM policies, CloudTrail logs) to reduce manual effort.
AWS Compliance Center and Documentation
The AWS Compliance Center (compliance.aws.amazon.com) provides a centralized view of compliance programs, whitepapers, and resources. AWS also publishes a Shared Responsibility Model whitepaper and a Security Best Practices whitepaper.
Comparing On-Premises vs AWS Compliance
On-premises, you are 100% responsible for compliance—physical security, hardware, software, audits. On AWS, you share the burden. AWS handles the 'boring' parts (data center security, hardware patching) while you focus on application-level controls. However, you cannot audit AWS data centers directly; you rely on third-party certifications and reports (e.g., SOC reports) which are available through AWS Artifact.
When to Use Compliance Tools
Use AWS Artifact when you need to download compliance reports for your own audits.
Use AWS Config when you need continuous monitoring of resource configurations against compliance rules.
Use AWS CloudTrail when you need a record of all API activity for forensic analysis.
Use AWS Audit Manager when you need to automate evidence collection for multiple compliance frameworks.
Pricing Models
AWS Artifact: Free (no charge for accessing reports).
AWS Config: Charged per configuration item recorded and per rule evaluation. First 100,000 configuration items free per region per month.
AWS CloudTrail: Free for management events in the event history (90 days). Charged for data events and for trails delivering to S3.
AWS Audit Manager: Charged per assessment report and per resource evaluated. Free tier includes 30 days of free assessments.
Limits and Defaults
AWS CloudTrail event history: 90 days retention, up to 5 trails per region.
AWS Config: Up to 100 rules per region per account (default).
AWS Artifact: No limits on downloads.
Key AWS Services for Compliance
AWS Identity and Access Management (IAM): Manage user identities and permissions.
AWS Key Management Service (KMS): Create and control encryption keys.
Amazon S3: Object storage with bucket policies and access logs.
AWS GuardDuty: Threat detection service.
AWS Security Hub: Centralized security and compliance dashboard.
Common Compliance Scenarios
Healthcare (HIPAA): You must sign a BAA with AWS (via AWS Artifact) and use HIPAA-eligible services (e.g., EC2, RDS, S3) with encryption enabled.
Finance (PCI DSS): You must use PCI-compliant services, restrict access to cardholder data, and log all access.
Government (FedRAMP): Use AWS GovCloud (US) which meets FedRAMP requirements.
Conclusion
AWS compliance is not automatic; you must actively configure services to meet your obligations. Use AWS Artifact for reports, AWS Config for monitoring, and CloudTrail for auditing. Always check the Shared Responsibility Model to know which side of the line each control falls on.
Access AWS Artifact
Log into the AWS Management Console, navigate to AWS Artifact. This is a self-service portal for compliance reports and agreements. You do not need to configure anything; you can immediately browse available reports. AWS Artifact is free to use. It provides reports from third-party auditors (e.g., SOC, ISO, PCI) that attest to AWS's compliance posture. You can download these reports as PDFs to share with your own auditors or compliance teams. For agreements like the HIPAA BAA, you can review and accept them online, which adds your account to AWS's list of accounts covered under the agreement. This step is critical for regulated industries.
Enable AWS Config
In the AWS Management Console, go to AWS Config and click 'Get started'. You will be asked to set up a recording of resource configurations. Choose 'All resources' or specific resource types. You can also define rules (e.g., 's3-bucket-public-read-prohibited') to evaluate compliance. AWS Config will start recording configuration changes and evaluating rules. Behind the scenes, AWS Config uses a configuration recorder to capture changes and an evaluator to run rules. The default recording frequency is every 1 hour for configuration changes. You can set up SNS notifications for non-compliant resources. AWS Config charges per configuration item recorded and per rule evaluation.
Create a CloudTrail Trail
Navigate to AWS CloudTrail in the Console and click 'Create trail'. Give it a name (e.g., 'ManagementTrail'). Choose whether to apply the trail to all regions (recommended) or a single region. Specify an S3 bucket to store the logs. Optionally, enable log file validation (to detect tampering) and SSE-KMS encryption. Once created, CloudTrail will begin logging all management events (e.g., CreateUser, DeleteBucket) to the S3 bucket. You can also enable data events (e.g., S3 object-level operations) for additional logging, but these incur extra charges. CloudTrail logs are delivered within 15 minutes of the API call. Use these logs for compliance audits and security investigations.
Review Compliance Reports
Return to AWS Artifact and download the latest SOC 2 report. This report is issued by an independent auditor and covers AWS's controls for security, availability, processing integrity, confidentiality, and privacy. You can share this report with your organization's compliance officer or external auditors to demonstrate that AWS meets its compliance obligations. Also, check the 'Agreements' section to see if you need to accept any agreements (e.g., HIPAA BAA). Remember that these reports are about AWS's infrastructure, not your specific configuration. You still need to ensure your own resources comply with your industry standards.
Set Up AWS Audit Manager
Go to AWS Audit Manager in the Console. You can start with a pre-built framework (e.g., SOC 2, PCI DSS, HIPAA). AWS Audit Manager will automatically map your AWS resources to the framework's controls and collect evidence (e.g., IAM policies, CloudTrail logs, Config rules). You can then review the evidence and generate an assessment report. This service reduces manual effort in gathering evidence for audits. It charges per assessment report and per resource evaluated. The free tier includes 30 days of free assessments. Use this service when you need to prepare for an external audit or demonstrate compliance to a regulator.
Scenario 1: Healthcare Startup Achieving HIPAA Compliance
A healthcare startup builds a patient portal on AWS to store electronic health records (EHR). They need to comply with HIPAA (Health Insurance Portability and Accountability Act). The startup signs a Business Associate Agreement (BAA) with AWS via AWS Artifact. They then restrict their use to HIPAA-eligible services (e.g., EC2, RDS, S3, CloudTrail) and enable encryption at rest (AWS KMS) and in transit (TLS). They use AWS Config rules to ensure S3 buckets are not publicly accessible and that RDS instances have encryption enabled. They also enable CloudTrail to log all access to patient data. During an audit, they provide the AWS SOC 2 report and their own evidence from Config and CloudTrail. Key cost: BAA is free; AWS Config and CloudTrail costs are minimal for a small environment. If they misconfigured an S3 bucket to be public, they could face HIPAA fines up to $50,000 per violation.
Scenario 2: E-commerce Company Achieving PCI DSS Compliance
An e-commerce company processes credit card payments on AWS. They must comply with PCI DSS (Payment Card Industry Data Security Standard). They use AWS Artifact to download the PCI DSS attestation of compliance (AOC) for AWS. They then segment their network using VPCs and security groups, restrict access to cardholder data using IAM, and enable CloudTrail for all API calls. They use AWS Config to enforce that only PCI-approved services are used. They also use AWS Shield and WAF for web application security. The company's compliance team runs quarterly vulnerability scans using an approved scanning vendor (ASV) and submits reports to their acquiring bank. Misconfiguration: If they store credit card numbers in plaintext in an S3 bucket, they could be fined $100,000 per month by the card brands.
Scenario 3: Government Contractor Using FedRAMP
A government contractor needs to host a web application for a federal agency. They must use a FedRAMP-authorized cloud service provider. They choose AWS GovCloud (US), which is a separate region designed for government workloads and has FedRAMP High authorization. They use AWS Artifact to download the FedRAMP package. They then configure AWS Config with the FedRAMP compliance pack (a set of rules) to monitor their resources. They also enable CloudTrail and use AWS Security Hub to aggregate findings. The contractor's security team must review the FedRAMP continuous monitoring plan. If they accidentally deploy resources in a commercial region (e.g., us-east-1) instead of GovCloud, they would be non-compliant and could lose the contract.
What CLF-C02 Tests on This Objective (Domain 1: Cloud Concepts, Objective 1.4)
The exam expects you to:
Understand the shared responsibility model and differentiate between AWS and customer responsibilities.
Identify key compliance programs (SOC, ISO, PCI DSS, HIPAA, FedRAMP, GDPR).
Know the purpose of AWS Artifact, AWS Config, AWS CloudTrail, and AWS Audit Manager.
Recognize that compliance reports are available via AWS Artifact.
Understand that AWS Config evaluates resource configurations against rules.
Know that CloudTrail logs API activity.
Common Wrong Answers and Why Candidates Choose Them
Wrong: 'AWS is responsible for all compliance.' Why chosen: Candidates think the cloud provider handles everything. Reality: Compliance is shared; you are responsible for your data and configurations.
Wrong: 'AWS Config can be used to audit user activity.' Why chosen: Name sounds like it configures things. Reality: AWS Config monitors resource configurations, not user actions. CloudTrail is for user activity.
Wrong: 'AWS Artifact provides real-time security monitoring.' Why chosen: 'Artifact' sounds like a tool. Reality: It's a document repository for reports and agreements, not a monitoring tool.
Wrong: 'AWS Compliance Center is the only place to get compliance reports.' Why chosen: The name is similar. Reality: AWS Artifact is the correct service for reports.
Specific Terms That Appear on the Exam
Shared Responsibility Model
AWS Artifact
AWS Config
AWS CloudTrail
SOC 1/2/3, ISO 27001, PCI DSS Level 1, HIPAA BAA, FedRAMP, GDPR
AWS Audit Manager
Compliance frameworks
In-scope services
Tricky Distinctions
AWS Config vs. AWS CloudTrail: Config evaluates resource configurations (e.g., is the S3 bucket public?); CloudTrail logs API calls (e.g., who made the bucket public?). Both are compliance tools but serve different purposes.
AWS Artifact vs. AWS Compliance Center: Artifact provides downloadable reports and agreements; Compliance Center is a website with general information and links.
HIPAA BAA vs. HIPAA-eligible services: A BAA is a contract; you must also use only HIPAA-eligible services (listed in the AWS HIPAA whitepaper).
Decision Rule for Multiple-Choice Questions
If the question asks about 'who is responsible for X', first determine if X is infrastructure (AWS) or customer data/config (you). If the question mentions 'compliance report' or 'audit document', think AWS Artifact. If it mentions 'monitoring resource configurations', think AWS Config. If it mentions 'logging API calls', think CloudTrail. If it mentions 'automating evidence collection', think Audit Manager.
Compliance on AWS is a shared responsibility: AWS secures the cloud, you secure what you put in it.
AWS Artifact provides on-demand access to compliance reports (SOC, ISO, PCI, etc.) and agreements (e.g., HIPAA BAA).
AWS Config continuously monitors and evaluates your AWS resource configurations against desired policies.
AWS CloudTrail records all API activity in your account, essential for auditing and compliance.
AWS Audit Manager helps automate evidence collection for compliance frameworks like SOC 2, PCI DSS, and HIPAA.
Key compliance programs: SOC 1/2/3, ISO 27001, PCI DSS Level 1, HIPAA, FedRAMP, GDPR.
AWS Config rules can trigger automatic remediation for non-compliant resources via Lambda functions.
These come up on the exam all the time. Here's how to tell them apart.
AWS Config
Monitors resource configurations (e.g., S3 bucket policies, security groups).
Evaluates against rules (e.g., 's3-bucket-public-read-prohibited').
Provides a compliance score and configuration history.
Can trigger automatic remediation (e.g., Lambda functions).
Use case: Ensure resources are configured according to security best practices.
AWS CloudTrail
Records API calls and user activity (e.g., who deleted a bucket).
Provides logs for auditing and forensic analysis.
Stores logs in S3 or CloudWatch Logs.
Enabled by default for management events (90-day retention).
Use case: Investigate unauthorized access or changes.
Mistake
AWS is responsible for all compliance requirements.
Correct
Compliance is a shared responsibility. AWS secures the infrastructure; you secure your data and configurations. For example, you must encrypt your own data and manage IAM permissions.
Mistake
AWS Config can be used to track user logins and API calls.
Correct
AWS Config monitors resource configurations (e.g., security group rules), not user activity. Use AWS CloudTrail to record API calls and user actions.
Mistake
AWS Artifact provides real-time security alerts.
Correct
AWS Artifact is a repository for compliance reports and agreements. It does not provide real-time monitoring or alerts. Use AWS Security Hub or GuardDuty for that.
Mistake
If I use AWS, I automatically become HIPAA compliant.
Correct
You must sign a BAA with AWS and configure services correctly (e.g., enable encryption, restrict access). AWS provides tools but does not enforce your compliance.
Mistake
PCI DSS compliance is fully handled by AWS.
Correct
AWS is PCI DSS Level 1 certified for its infrastructure, but you must still implement controls for your application (e.g., tokenization, access controls). You are responsible for your own compliance.
The shared responsibility model divides compliance responsibilities between AWS and the customer. AWS is responsible for the security of the cloud (physical data centers, hardware, networking, and hypervisor) and maintains compliance certifications for those components. The customer is responsible for security in the cloud (data, applications, IAM, encryption, and network configuration). The exact split depends on the service used (IaaS, PaaS, SaaS). For example, with EC2 (IaaS), you manage the guest OS and firewall; with RDS (PaaS), AWS manages the database engine, but you control data access and encryption. Exam tip: If a question asks about responsibility for 'physical security' or 'data center', the answer is AWS. For 'data encryption' or 'user permissions', the answer is customer.
You can access AWS compliance reports through AWS Artifact, a self-service portal in the AWS Management Console. AWS Artifact provides on-demand access to over 3,000 compliance documents, including SOC reports, ISO certifications, PCI DSS attestations, and FedRAMP packages. You can download these reports as PDFs. Additionally, you can review and accept agreements like the HIPAA Business Associate Agreement (BAA) directly in AWS Artifact. The service is free of charge. Exam tip: AWS Artifact is the only service specifically for downloading compliance reports; do not confuse it with AWS Config or CloudTrail.
AWS Config and AWS CloudTrail serve different purposes in compliance. AWS Config is a configuration monitoring service that evaluates your AWS resource configurations against desired rules. For example, it can check if an S3 bucket has public access blocked. It provides a compliance score and configuration history. AWS CloudTrail, on the other hand, is an auditing service that records all API calls made in your account, including who made the call, when, and from where. CloudTrail logs are essential for investigating unauthorized access or changes. In short: Config monitors 'what' your resources look like; CloudTrail monitors 'who did what'. Both are important for compliance, but they are not interchangeable.
AWS holds a wide range of compliance certifications and attestations, including SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, HIPAA (via BAA), FedRAMP (Moderate and High), GDPR (data processing agreements), and many others. These certifications are for AWS's infrastructure and services. You can verify current certifications in the AWS Compliance Center or download reports from AWS Artifact. Exam tip: You do not need to memorize all certifications, but you should know the major ones: SOC, ISO, PCI DSS, HIPAA, FedRAMP, and GDPR.
AWS Audit Manager is a service that helps you continuously audit your AWS usage to assess risk and compliance with regulations and industry standards. It provides pre-built frameworks for common standards like SOC 2, PCI DSS, HIPAA, and GDPR. Audit Manager automatically collects evidence from your AWS resources (e.g., IAM policies, CloudTrail logs, Config rules) and maps it to the controls in the framework. You can then review the evidence and generate assessment reports for auditors. This reduces the manual effort of gathering evidence. Audit Manager charges per assessment report and per resource evaluated. It is especially useful for organizations undergoing regular audits.
To use AWS for HIPAA compliance, you must both sign a Business Associate Agreement (BAA) with AWS and use only HIPAA-eligible services. The BAA is a contract that defines AWS's responsibilities as a business associate under HIPAA. It is available through AWS Artifact. HIPAA-eligible services are those that AWS has committed to support for protected health information (PHI). They are listed in the AWS HIPAA whitepaper and include services like EC2, S3, RDS, and CloudTrail. You cannot store PHI on non-eligible services (e.g., Amazon WorkDocs is not HIPAA-eligible). Signing the BAA alone does not make you compliant; you must also configure the services correctly (e.g., encryption, access controls).
AWS Config helps with compliance by continuously monitoring and recording your AWS resource configurations and evaluating them against desired policies. You can define rules (e.g., 's3-bucket-public-read-prohibited') and AWS Config will assess whether your resources comply. It provides a compliance dashboard showing the number of compliant and non-compliant resources. You can also set up automatic remediation using AWS Systems Manager Automation or Lambda functions to fix non-compliant resources. AWS Config is useful for demonstrating compliance to auditors by providing a history of configuration changes. Exam tip: AWS Config is about 'configuration compliance', not 'user activity'.
You've just covered AWS Cloud Compliance Overview — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?