This chapter covers AWS Compliance and Governance, a critical topic for the CLF-C02 exam under Domain 2: Security and Compliance. This domain makes up about 30% of the exam, and governance questions frequently appear. You'll learn how AWS helps you meet regulatory requirements, manage compliance, and enforce governance policies. We'll explore services like AWS Artifact, AWS Config, AWS CloudTrail, AWS Audit Manager, and AWS Service Catalog, and understand how they work together to provide a compliant and well-governed AWS environment.
Jump to a section
Imagine you run a bank. You have a massive vault (your AWS infrastructure) that stores customer deposits (your data). You need to ensure only authorized tellers (users) can access the vault, and you must prove to regulators that you follow strict rules. AWS Compliance and Governance is like hiring a team of security experts, installing cameras, and maintaining a detailed logbook. The security experts (AWS Artifact) provide you with pre-approved compliance reports and contracts, so you don't have to write them yourself. The cameras (AWS CloudTrail) record every single action—who opened the vault, when, and what they did. The logbook (AWS Config) tracks the configuration of the vault itself—is the lock still the required model? Are the hinges reinforced? If someone tries to change the lock to a weaker one, an alarm (AWS Config rule) triggers. You also have a compliance officer (AWS Audit Manager) who automates evidence collection for audits. Without these tools, you'd have to manually watch every teller and check every lock—impossible at scale. AWS gives you the mechanisms to demonstrate compliance without slowing down operations. The key insight: governance is not just about setting rules; it's about having automated, verifiable proof that rules are followed.
What is AWS Compliance and Governance?
Compliance and governance in AWS refer to the frameworks, services, and tools that help you adhere to legal, regulatory, and internal policy requirements. The problem it solves: as you move to the cloud, you lose direct control over physical infrastructure, but you gain the ability to automate compliance checks. AWS operates on a shared responsibility model—AWS is responsible for security *of* the cloud, and you are responsible for security *in* the cloud. Governance tools help you fulfill your part of that model.
How It Works: The Mechanism
AWS provides several services that work together to create a governance framework:
AWS Artifact: A self-service portal for on-demand access to AWS compliance reports (e.g., SOC, PCI, ISO) and agreements (e.g., Business Associate Addendum). It's your one-stop shop for downloading pre-signed documents that prove AWS's compliance posture. You don't need to contact AWS support—just log in and download.
AWS Config: A service that evaluates your AWS resource configurations against desired rules. It records configuration changes and provides a timeline of resource configurations. For example, you can create a rule that checks if EBS volumes are encrypted. If someone launches an unencrypted volume, AWS Config flags it as non-compliant. It also generates a configuration snapshot and history, which is crucial for auditing.
AWS CloudTrail: Records API activity in your account. Every action taken via the AWS Management Console, CLI, or SDK is logged as a CloudTrail event. This includes who made the call, what service was used, the source IP address, and the time. CloudTrail logs are stored in S3 and can be analyzed with Athena or sent to CloudWatch Logs. It's the foundation for auditing and forensics.
AWS Audit Manager: Automates evidence collection for audits. You define a framework (e.g., PCI DSS, HIPAA) and Audit Manager continuously gathers evidence from your AWS resources, such as CloudTrail logs, Config snapshots, and Security Hub findings. It then generates an assessment report that maps evidence to control requirements, saving you weeks of manual work.
AWS Service Catalog: Allows you to create and manage a catalog of approved IT services. End users can launch pre-approved products (e.g., a standardized EC2 instance with specific security groups) without needing to know the underlying configuration. This enforces governance by limiting users to compliant templates.
Key Tiers, Configurations, and Pricing Models
AWS Artifact: No additional cost—you pay only for the data transfer if you download reports. The service itself is free.
AWS Config: You pay per configuration item recorded and per rule evaluation. There is a free tier of 10,000 configuration items per month. Pricing is regional.
AWS CloudTrail: Management events are free for one copy of the trail. Data events (e.g., S3 object-level operations) incur additional charges. CloudTrail Insights (anomaly detection) is an optional paid feature.
AWS Audit Manager: Pay per assessment report and per resource evaluated. There is a 30-day free trial.
AWS Service Catalog: No additional cost for the service itself; you pay for the underlying resources launched (e.g., EC2 instances).
Comparison to On-Premises or Competing Approaches
On-premises, you would need to manually configure logging, maintain compliance documentation, and conduct periodic audits. AWS automates these tasks: CloudTrail replaces manual log collection, Config replaces manual configuration checks, and Audit Manager replaces manual evidence gathering. Competing cloud providers (Azure, GCP) have similar services (Azure Policy, Cloud Audit Logs), but AWS's integration with a broad partner ecosystem and pre-built compliance frameworks is a differentiator.
When to Use Which Service
Use AWS Artifact when you need to download compliance reports for your own auditors or to sign agreements like the BAA.
Use AWS Config when you need to track resource configurations and enforce rules (e.g., 'S3 buckets must be private').
Use AWS CloudTrail when you need to audit API activity for security investigations or compliance.
Use AWS Audit Manager when you have recurring audits (e.g., SOC 2 annually) and want to automate evidence collection.
Use AWS Service Catalog when you want to provide a self-service portal for approved cloud resources while maintaining governance.
How They Work Together
Imagine a company that must comply with PCI DSS. They use AWS Artifact to download AWS's PCI attestation. They enable CloudTrail to log all API calls. They configure AWS Config rules to ensure that only approved AMIs are used and that security groups do not allow unrestricted inbound traffic. They use AWS Audit Manager with a PCI DSS framework to automatically collect evidence from CloudTrail and Config. Finally, they use AWS Service Catalog to publish pre-approved EC2 templates that meet PCI requirements. This integrated approach provides a comprehensive governance posture.
Enable AWS CloudTrail
First, go to the AWS CloudTrail console and create a trail. A trail logs all management events (control plane operations) by default. You can also enable data events for S3 and Lambda. Choose an S3 bucket to store logs—ensure it has proper access policies to prevent deletion. CloudTrail delivers log files every 5 minutes. Behind the scenes, CloudTrail captures API calls from the console, CLI, SDKs, and AWS services. It records the identity (IAM user or role), source IP, and request parameters. This is the foundation for all auditing. Default: management events are free, but data events incur costs.
Set up AWS Config
In the AWS Config console, enable the service and specify an S3 bucket for configuration snapshots and an SNS topic for notifications. AWS Config will automatically discover resources in your account. Then, create rules. For example, create a managed rule called 's3-bucket-public-read-prohibited' to check that no S3 bucket allows public read access. When a bucket becomes public, AWS Config changes its compliance status to non-compliant. Behind the scenes, Config continuously records configuration changes and evaluates them against rules. You can also set up automatic remediation using Systems Manager Automation documents.
Download reports from AWS Artifact
Navigate to the AWS Artifact console. You'll see two main sections: 'Reports' and 'Agreements'. Under Reports, you can download AWS's SOC reports, PCI reports, ISO certifications, and more. Each report is pre-signed by AWS. Under Agreements, you can review and accept agreements like the Business Associate Addendum (BAA) for HIPAA. When you accept an agreement, it applies to your account and any member accounts in an organization. The reports are valid for a specific period (e.g., SOC 2 Type II is valid for 12 months). You can also use the AWS Artifact API to automate downloads.
Create an AWS Audit Manager assessment
In the AWS Audit Manager console, choose a framework (e.g., 'PCI DSS v3.2.1') or create a custom one. Then, create an assessment. Select the AWS accounts and resources to include. Audit Manager will automatically start collecting evidence from CloudTrail, Config, Security Hub, and other sources. You can review the evidence and generate a report. The report maps each control to the evidence. Behind the scenes, Audit Manager uses pre-built data sources and automated evidence finders. You can also manually upload evidence. The assessment can be reused for future audits.
Publish products in AWS Service Catalog
As an administrator, go to the AWS Service Catalog console. Create a product, which is a CloudFormation template that defines a set of AWS resources (e.g., an EC2 instance with a specific security group). Then, create a portfolio and add the product to it. Grant access to end users (IAM users or roles). End users can then launch the product from the Service Catalog console, selecting parameters like instance type, but they cannot modify the underlying template. This enforces governance because users can only launch compliant resources. Service Catalog also supports versioning and constraints (e.g., limit allowed instance types).
Scenario 1: Healthcare Company under HIPAA
A healthcare startup needs to store patient health information (PHI) in AWS. They must comply with HIPAA. They start by signing a Business Associate Addendum (BAA) via AWS Artifact. They enable CloudTrail to log all access to S3 buckets containing PHI. They use AWS Config rules to ensure that S3 buckets are encrypted at rest (using SSE-S3 or KMS) and that only HTTPS access is allowed. They also use AWS Audit Manager with a HIPAA framework to automatically collect evidence for audits. When an auditor requests proof of encryption, they generate a report from Audit Manager that includes Config snapshots and CloudTrail logs. Cost: CloudTrail management events are free; Config rule evaluations cost a few dollars per month; Audit Manager is pay-per-assessment. Misconfiguration: If they forget to enable CloudTrail data events for S3, they might miss logging of object-level access, leading to non-compliance.
Scenario 2: Financial Services Firm with SOC 2
A fintech company must achieve SOC 2 Type II certification. They use AWS Artifact to download AWS's SOC 2 report as a starting point. They set up AWS Config with the 'PCI DSS' rule pack (which overlaps with SOC 2 controls) to monitor resource configurations. They enable CloudTrail Insights to detect unusual API activity. They use AWS Audit Manager with a custom SOC 2 framework to collect evidence on controls like access management and data encryption. The compliance team runs monthly assessments to ensure continuous compliance. When the external auditor arrives, they provide the Audit Manager report, which reduces audit preparation from weeks to days. Cost: CloudTrail Insights adds cost; Audit Manager assessments are charged per report. Misconfiguration: If Config rules are not updated when new resources are added, the assessment may miss misconfigurations.
Scenario 3: Enterprise with Multi-Account Governance
A large enterprise uses AWS Organizations to manage hundreds of accounts. They use AWS Service Catalog to deploy standardized VPCs and EC2 instances across all accounts. They use AWS Config aggregators to view compliance across all accounts from a single dashboard. They enable CloudTrail organization trail to log API calls from all accounts. They use AWS Audit Manager to run assessments across the entire organization. This unified approach ensures that all accounts adhere to the same governance policies. Cost: Config aggregator is free; CloudTrail organization trail is free for management events. Misconfiguration: If Service Catalog portfolios are not properly scoped, users in some accounts may launch non-approved resources.
What CLF-C02 Tests on This Objective
This objective falls under Domain 2: Security and Compliance (30% of the exam). Questions test your understanding of the shared responsibility model, the purpose of governance services, and how to use them to meet compliance requirements. Expect questions like: 'Which service would you use to download AWS SOC reports?' or 'Which service tracks API calls for auditing?'
Common Wrong Answers and Why Candidates Choose Them
AWS Config vs. CloudTrail: Many candidates confuse Config (configuration tracking) with CloudTrail (API logging). Wrong answer: 'Use AWS Config to see who deleted an S3 bucket.' Actually, CloudTrail records who made the delete API call; Config records the configuration change (e.g., bucket deletion).
AWS Artifact vs. AWS Audit Manager: Candidates think Artifact is for automated evidence collection. Wrong answer: 'Use AWS Artifact to automate audit evidence collection.' Actually, Artifact is a repository of pre-signed reports and agreements; Audit Manager automates evidence collection.
Shared Responsibility: Candidates believe AWS is responsible for everything. Wrong answer: 'AWS is responsible for securing customer data.' Actually, AWS secures the cloud infrastructure; customers are responsible for data, IAM, and guest OS.
AWS Service Catalog vs. AWS Config: Candidates think Service Catalog tracks configurations. Wrong answer: 'Use Service Catalog to enforce that all EC2 instances have a specific tag.' Actually, Service Catalog provides pre-approved templates; Config enforces rules.
Specific Terms That Appear on the Exam
AWS Artifact: 'Reports' and 'Agreements' sections.
AWS Config: 'Configuration items', 'configuration history', 'configuration snapshots', 'rules'.
AWS CloudTrail: 'Management events', 'data events', 'Insights', 'trail'.
AWS Audit Manager: 'Framework', 'assessment', 'evidence'.
Shared Responsibility Model: 'Security of the cloud' vs. 'security in the cloud'.
AWS Organizations: 'Service control policies (SCPs)' for governance.
Tricky Distinctions
CloudTrail vs. Config: CloudTrail logs *who* did *what*; Config records *what* the resource looks like. Both are needed for a complete audit trail.
Artifact vs. Audit Manager: Artifact gives you AWS's compliance documents; Audit Manager helps you prove *your* compliance.
Service Catalog vs. Launch Wizard: Service Catalog is for governance (pre-approved templates); Launch Wizard is for guided deployment without governance.
Decision Rule for Multiple-Choice Questions
If the question asks about downloading compliance reports or signing agreements, choose AWS Artifact. If it's about tracking API activity for auditing, choose CloudTrail. If it's about resource configuration compliance, choose AWS Config. If it's about automating audit evidence collection, choose AWS Audit Manager. If it's about providing a self-service portal for approved resources, choose AWS Service Catalog.
AWS Artifact provides on-demand access to AWS compliance reports (SOC, PCI, ISO) and agreements (BAA).
AWS CloudTrail logs API calls for auditing; management events are free, data events incur charges.
AWS Config tracks resource configuration changes and evaluates against rules; pay per configuration item and rule evaluation.
AWS Audit Manager automates evidence collection for audits; supports pre-built frameworks like PCI DSS and HIPAA.
AWS Service Catalog enables governance by providing pre-approved resource templates; no additional cost for the service.
The shared responsibility model: AWS secures the cloud; customer secures data, IAM, and guest OS.
For a complete audit trail, use both CloudTrail (who did what) and Config (what resources look like).
AWS Organizations Service Control Policies (SCPs) help enforce governance at the account level.
These come up on the exam all the time. Here's how to tell them apart.
AWS CloudTrail
Logs API activity (who, what, when, source IP).
Useful for security investigations and forensic analysis.
Records management events by default; data events optional.
Logs are stored in S3 and can be analyzed with Athena.
Does not track resource configuration state over time.
AWS Config
Tracks resource configuration changes and history.
Useful for compliance checks (e.g., 'is this resource compliant?').
Records configuration items for supported resources.
Provides configuration snapshots and timeline.
Does not log who made the change; use CloudTrail for identity.
Mistake
AWS Config can tell you who deleted an S3 bucket.
Correct
AWS Config records configuration changes (e.g., bucket deletion) but does not log who made the change. For identity information, you need AWS CloudTrail, which logs API calls with user identity.
Mistake
AWS Artifact automatically collects evidence for your audits.
Correct
AWS Artifact is a self-service portal for downloading pre-signed compliance reports and agreements. It does not collect evidence from your account. For automated evidence collection, use AWS Audit Manager.
Mistake
The shared responsibility model means AWS is responsible for all security.
Correct
AWS is responsible for security *of* the cloud (physical infrastructure, hypervisor). The customer is responsible for security *in* the cloud (data, IAM, OS updates, network configurations).
Mistake
CloudTrail logs all data events by default.
Correct
By default, CloudTrail logs management events only. Data events (e.g., S3 object-level operations, Lambda invocations) must be explicitly enabled and incur additional charges.
Mistake
AWS Service Catalog can enforce compliance rules on existing resources.
Correct
Service Catalog only governs resources launched through its catalog. It does not monitor or remediate resources created outside the catalog. Use AWS Config for ongoing compliance of all resources.
CloudTrail records API activity (who made a call, when, from where). Config records the configuration state of resources over time (e.g., what security groups are attached). For a complete audit, you need both: CloudTrail for identity, Config for configuration history. Exam tip: If the question mentions 'who deleted a resource', think CloudTrail. If it mentions 'resource compliance', think Config.
Use AWS Artifact. Log in to the AWS Management Console, go to AWS Artifact, select 'Reports', and choose the report you need (e.g., SOC 2, PCI DSS). The report is pre-signed and can be downloaded directly. You can also use the AWS Artifact API to automate downloads. Exam tip: Remember that Artifact is for *downloading* reports, not for creating your own compliance evidence.
A BAA is a contract required under HIPAA between a covered entity and a business associate. AWS offers a BAA via AWS Artifact. Once you accept it, you can use AWS services to process protected health information (PHI) as long as you configure them correctly. Exam tip: The BAA is accessed through AWS Artifact under 'Agreements'.
Yes, AWS Config can trigger automatic remediation using AWS Systems Manager Automation documents. For example, if a rule detects an S3 bucket that is publicly accessible, Config can invoke an automation to make it private. This is optional and must be configured. Exam tip: Config itself only evaluates; remediation requires additional setup.
AWS Audit Manager helps you automate audit evidence collection. You define a framework (e.g., PCI DSS, HIPAA, or custom), and Audit Manager continuously gathers evidence from CloudTrail, Config, Security Hub, and other sources. It generates an assessment report that maps evidence to controls, reducing manual effort. Exam tip: Audit Manager is for *your* compliance, not for downloading AWS's reports.
AWS Service Catalog allows administrators to create a catalog of pre-approved IT services (products) defined as CloudFormation templates. End users can launch these products with limited parameter choices. This ensures that only compliant resources are deployed. For example, you can restrict EC2 instance types to only t3.micro. Exam tip: Service Catalog is about *provisioning* governance, not *ongoing* compliance.
SCPs are a type of policy that define the maximum permissions for accounts in an organization. They allow you to centralize governance by restricting what services and actions member accounts can use. For example, you can deny access to non-compliant services. SCPs do not grant permissions; they are boundary policies. Exam tip: SCPs are used for governance at the organization level.
You've just covered AWS Compliance and Governance — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?