This chapter covers AWS compliance programs, specifically PCI DSS, HIPAA, and SOC, which are critical for understanding how AWS helps customers meet regulatory and industry standards. For the CLF-C02 exam, this objective falls under Domain 2: Security and Compliance (approximately 24% of the exam), and understanding these programs is essential for answering questions about shared responsibility and compliance inheritance. By the end of this chapter, you will know what each program entails, which AWS services are in scope, and how to leverage AWS compliance artifacts to satisfy auditor requirements.
Jump to a section
Imagine you run a bank. To assure customers their money is safe, you install a massive vault with multiple locks, surveillance cameras, and access logs. But customers don't just take your word for it—they hire an independent auditor to inspect your vault, review your procedures, and issue a report certifying that your security meets industry standards. That report is like a SOC report. PCI DSS is like a specific set of rules for handling credit card data—you must follow them exactly, or you can't accept credit cards. HIPAA is like a set of rules for handling medical records—you must protect patient privacy. AWS compliance programs are like having a pre-audited vault that you can use. AWS itself undergoes these audits (SOC, PCI, HIPAA) and provides you with the reports and attestations. When you run your application on AWS, you inherit the compliance of the underlying infrastructure—the vault is already certified. But you still need to configure your own locks and procedures inside the vault to meet the same standards. AWS's responsibility is the security 'of' the cloud; your responsibility is security 'in' the cloud. The compliance programs help you prove to your customers and regulators that you're using a certified vault.
What Are AWS Compliance Programs?
AWS compliance programs are frameworks and certifications that demonstrate AWS's adherence to various security, privacy, and operational standards. These programs are validated by independent third-party auditors, and the resulting reports (e.g., SOC reports, PCI Attestation of Compliance) are made available to AWS customers through AWS Artifact. The key programs for the CLF-C02 exam are PCI DSS, HIPAA, and SOC. Understanding these is crucial because AWS customers often need to prove their own compliance to regulators or business partners. By using AWS services that are in scope for these programs, customers can inherit parts of the compliance posture, reducing their own audit burden.
How Compliance Programs Work
AWS undergoes audits against specific standards. For example, for PCI DSS, AWS engages a Qualified Security Assessor (QSA) to evaluate its infrastructure and operations against the 12 requirements of PCI DSS. The result is an Attestation of Compliance (AOC) and a Report on Compliance (ROC). These documents are available to customers in AWS Artifact. Customers can then use these documents as evidence for their own PCI DSS assessments. The key mechanism is the shared responsibility model: AWS is responsible for the security *of* the cloud (physical data centers, network, hypervisor), while the customer is responsible for security *in* the cloud (operating system, applications, customer data). Compliance programs align with this model: AWS's certifications cover the infrastructure layer, but customers must configure their own resources appropriately to remain compliant.
Key Tiers and Configurations
#### PCI DSS (Payment Card Industry Data Security Standard) - Scope: AWS services that handle, process, or store cardholder data. AWS has validated over 100 services as PCI DSS compliant. These include Amazon EC2, Amazon S3, Amazon RDS, AWS Lambda, and many more. - Customer Responsibility: Customers must ensure that their applications and configurations meet PCI DSS requirements. For example, if you store cardholder data in S3, you must enable encryption (server-side or client-side), restrict access via IAM policies and bucket policies, enable logging (S3 Server Access Logs or AWS CloudTrail), and regularly review access. - Validation: AWS provides a PCI DSS Attestation of Compliance (AOC) and a Responsibility Summary that outlines which requirements are inherited, which are shared, and which are customer-specific. - Pricing: There is no additional cost to use PCI-compliant AWS services. However, you may incur costs for enabling features like AWS Config rules or CloudTrail for compliance monitoring.
#### HIPAA (Health Insurance Portability and Accountability Act) - Scope: HIPAA applies to covered entities (healthcare providers, health plans) and their business associates that handle Protected Health Information (PHI). AWS offers a Business Associate Agreement (BAA) to customers who need to store or process PHI. The BAA is a contract that extends AWS's HIPAA responsibilities to the customer. - Eligible Services: Only services listed in the AWS HIPAA Eligible Services Reference are permitted for PHI. As of 2024, over 140 services are HIPAA eligible, including Amazon EC2, Amazon S3, Amazon DynamoDB, Amazon Redshift, and AWS Lambda. Services not listed (e.g., Amazon Route 53, Amazon CloudFront by default) are NOT HIPAA eligible and should not be used with PHI. - Customer Responsibility: Customers must configure services according to HIPAA Security Rule requirements: enable encryption at rest and in transit, implement access controls, enable logging and monitoring, and conduct regular risk assessments. AWS provides a HIPAA Security Rule Mapping document to help. - Getting a BAA: You must sign a BAA via AWS Artifact before you can store PHI. The BAA is free but requires you to use only HIPAA eligible services for PHI workloads.
#### SOC (System and Organization Controls) - Types: SOC 1 (financial reporting), SOC 2 (security, availability, processing integrity, confidentiality, privacy), and SOC 3 (general use report). SOC 2 is the most common for security-focused audits. - Scope: AWS undergoes SOC audits for its infrastructure and services. The SOC reports are available to customers under NDA via AWS Artifact. These reports cover controls related to security, availability, and confidentiality. - Customer Benefit: Customers can use SOC reports to support their own SOC audits. For example, if you are a SaaS provider and need SOC 2 Type II certification, you can rely on AWS SOC 2 Type II report for the underlying infrastructure. - Key Difference: SOC reports are not certifications but attestations. They describe controls in place and test their effectiveness over a period (Type I: point-in-time; Type II: over a period, usually 6-12 months).
Comparison to On-Premises
On-premises, the organization is entirely responsible for all compliance requirements: physical security, network security, encryption, access controls, logging, and auditing. With AWS, the organization inherits compliance for the physical layer but must still manage the logical layer. The advantage is that AWS already has the certifications and reports, saving the organization the cost and effort of building and auditing its own data centers. However, the customer must still ensure their own configurations comply. For example, an on-premises data center might need to be PCI DSS certified from the ground up, while on AWS, the customer only needs to configure their services correctly and can reference AWS's AOC.
When to Use Which Program
PCI DSS: Use when your application processes, stores, or transmits credit card data. You must ensure all services used are PCI DSS compliant and configured per PCI requirements.
HIPAA: Use when your application handles Protected Health Information (PHI). You must sign a BAA with AWS and use only HIPAA eligible services.
SOC: Use when your customers or auditors require independent assurance of AWS's controls. Often used by SaaS companies to demonstrate security posture to enterprise customers.
In many cases, an organization may need to comply with multiple standards. AWS provides a single set of reports that can be used across different audits.
Access AWS Artifact
AWS Artifact is the central repository for AWS compliance reports and agreements. To start, log in to the AWS Management Console and navigate to AWS Artifact. Here you can browse available reports, such as SOC reports, PCI DSS AOC, and HIPAA BAA. You can also download agreements like the Business Associate Addendum (BAA) for HIPAA. AWS Artifact provides a self-service portal where you can view, download, and manage these documents without contacting AWS support. Note that some reports require you to accept an NDA before downloading.
Review the Shared Responsibility Matrix
Configure Services for Compliance
Based on the Responsibility Matrix, configure your AWS services to meet your compliance requirements. For PCI DSS, ensure encryption is enabled (e.g., S3 default encryption, EBS encryption), enable CloudTrail for logging API calls, enable VPC Flow Logs, and set up AWS Config rules to enforce compliance policies. For HIPAA, use only HIPAA eligible services and enable encryption at rest and in transit. For SOC, you may need to implement specific controls like access reviews and incident response procedures. AWS provides automated tools like AWS Config and AWS Security Hub to help monitor compliance.
Sign a Business Associate Agreement (HIPAA)
If you handle PHI, you must sign a BAA with AWS. Go to AWS Artifact, select 'Agreements', and then 'Business Associate Addendum'. Review and accept the agreement. Once signed, you are authorized to use HIPAA eligible services for PHI workloads. Remember, the BAA is a legal contract that extends AWS's HIPAA responsibilities to you. You must ensure that you do not use non-eligible services for PHI; otherwise, you violate the BAA.
Provide Reports to Auditors
When your organization undergoes an audit (e.g., for SOC 2 or PCI DSS), you can provide the AWS compliance reports as evidence for the infrastructure layer. For example, you can share the AWS SOC 2 Type II report with your auditor to demonstrate that AWS has appropriate controls in place for physical security and data center operations. Similarly, the PCI DSS AOC can be used to show that the underlying infrastructure is PCI compliant. This reduces the scope of your audit and saves time and cost.
Scenario 1: E-commerce Startup Handling Credit Cards
A small e-commerce startup wants to accept credit card payments directly on their website. They need to be PCI DSS compliant. They choose to use AWS services like EC2 for the application server, RDS for the database, and S3 for storing transaction logs. They use AWS Artifact to download the PCI DSS AOC and Responsibility Summary. The development team ensures that all cardholder data is encrypted at rest using S3 default encryption and RDS encryption, and they enable CloudTrail and VPC Flow Logs for auditing. They also restrict access using IAM roles and security groups. During their PCI assessment, the QSA reviews their architecture and the AWS reports. Because they used PCI-compliant services and followed the Responsibility Matrix, the assessment is straightforward. However, a common mistake is forgetting to encrypt backups or not enabling logging, which could lead to non-compliance. The startup also saves costs by not needing to build a physically secure data center.
Scenario 2: Healthcare SaaS Provider
A healthcare SaaS provider stores patient health records (PHI) in AWS. They sign a BAA via AWS Artifact. They use HIPAA eligible services such as DynamoDB (with encryption at rest), EC2 (with encrypted EBS volumes), and Lambda (with environment variables encrypted). They set up AWS Config rules to ensure that only HIPAA eligible services are used and that encryption is enabled. They also use AWS CloudTrail and Amazon GuardDuty for monitoring. The provider's auditor requests the AWS HIPAA Security Rule Mapping and the BAA. The provider provides these along with their own configuration evidence. One pitfall is that the provider might accidentally use a non-eligible service like Amazon Route 53 for DNS resolution of PHI endpoints—Route 53 is not HIPAA eligible, so they must use a different approach (e.g., using a custom DNS server on EC2). The cost of compliance is minimal because the AWS services themselves are pay-as-you-go, but there is additional cost for AWS Config rules and CloudTrail.
Scenario 3: SaaS Company Seeking SOC 2 Type II
A B2B SaaS company needs SOC 2 Type II certification to win enterprise customers. They use AWS for their infrastructure. They download the AWS SOC 2 Type II report from AWS Artifact and provide it to their auditor as evidence for the physical and environmental controls. The auditor then focuses on the application-level controls (e.g., authentication, authorization, data encryption at rest and in transit, logging). The company uses AWS CloudTrail, AWS Config, and AWS Security Hub to automate compliance monitoring. They also implement IAM policies and encryption. A common mistake is assuming that the AWS SOC report covers the entire application, but the customer is still responsible for their own controls. The cost of the SOC audit itself is separate from AWS costs, but using AWS reduces the audit scope and thus the cost of the audit.
What CLF-C02 Tests
This objective (2.4) tests your understanding of AWS compliance programs, specifically PCI DSS, HIPAA, and SOC. You need to know:
What each program is and what it covers.
The shared responsibility model as it applies to compliance.
How customers use AWS Artifact to access compliance reports and agreements.
Which services are in scope for each program (e.g., HIPAA eligible services).
The difference between SOC 1, SOC 2, and SOC 3.
The purpose of a BAA for HIPAA.
Common Wrong Answers and Why Candidates Choose Them
"AWS is fully responsible for all compliance requirements." This is wrong because the shared responsibility model means the customer is responsible for security *in* the cloud. Candidates often think that because AWS has certifications, the customer automatically is compliant. Reality: The customer must still configure their resources correctly.
"All AWS services are HIPAA eligible." Wrong. Only services listed in the HIPAA Eligible Services Reference are allowed for PHI. Candidates might assume that because AWS is HIPAA compliant, any service can be used. Reality: Many services like Amazon CloudFront (default) and Amazon Route 53 are not eligible.
"SOC reports are certifications." Wrong. SOC reports are attestations, not certifications. Candidates confuse SOC with ISO 27001, which is a certification. Reality: SOC reports describe controls and their effectiveness.
"You need to pay extra for PCI compliant services." Wrong. There is no additional fee for using PCI-compliant AWS services. Candidates might think compliance costs extra. Reality: You pay for the services you use, not for the compliance designation.
Specific Terms That Appear on the Exam
AWS Artifact: The service for accessing compliance reports and agreements.
BAA (Business Associate Addendum): Required for HIPAA workloads.
PCI DSS AOC (Attestation of Compliance): Document proving PCI compliance.
SOC 2 Type II: Report over a period of time, most common for security.
HIPAA Eligible Services: The list of services that can be used with PHI.
Tricky Distinctions
SOC 1 vs SOC 2: SOC 1 is for financial reporting controls; SOC 2 is for security, availability, processing integrity, confidentiality, and privacy. The exam may ask which is relevant for a security-focused audit (SOC 2).
Type I vs Type II: Type I is a point-in-time report; Type II covers a period (usually 6-12 months). Type II is more rigorous.
Decision Rule for Multiple-Choice Questions
When asked about compliance responsibilities, always think shared responsibility. If the question involves PHI, look for BAA and HIPAA eligible services. If it involves credit cards, look for PCI DSS. If it involves a report for customers, think SOC. Eliminate options that claim AWS is fully responsible or that all services are in scope.
AWS compliance programs (PCI DSS, HIPAA, SOC) provide certifications and reports that customers can use to satisfy their own compliance requirements.
AWS Artifact is the central repository for downloading compliance reports (e.g., SOC reports, PCI AOC) and signing agreements (e.g., BAA).
The shared responsibility model applies to compliance: AWS is responsible for the infrastructure, customers are responsible for their configurations.
For HIPAA, only services listed in the HIPAA Eligible Services Reference can be used with PHI; a BAA must be signed.
SOC 2 Type II is the most common report for security controls; SOC 1 is for financial reporting.
There is no extra cost for using PCI-compliant or HIPAA-eligible services; you pay only for the services you use.
PCI DSS requires 12 requirements including encryption, access control, and logging; customers must configure their services accordingly.
SOC reports are attestations, not certifications; they describe controls over a period (Type II) or at a point in time (Type I).
These come up on the exam all the time. Here's how to tell them apart.
PCI DSS
Applies to any organization handling credit card data
12 requirements covering network security, access control, encryption, monitoring, etc.
Requires annual assessment by a QSA or self-assessment
All AWS services can be used, but must be configured per PCI requirements (though only validated services are in scope for the AOC)
No contractual agreement needed; AWS provides AOC and Responsibility Summary
HIPAA
Applies to covered entities and business associates handling PHI
Security Rule has administrative, physical, and technical safeguards
Requires periodic risk assessments and BAA with AWS
Only HIPAA eligible services can be used for PHI
Must sign a BAA via AWS Artifact before storing PHI
Mistake
If I use AWS, I automatically comply with PCI DSS, HIPAA, and SOC.
Correct
AWS provides the infrastructure certifications, but you must configure your own resources correctly. For example, you must enable encryption, restrict access, and enable logging. You are not automatically compliant; you inherit only the infrastructure layer compliance.
Mistake
All AWS services are HIPAA eligible.
Correct
Only services listed in the AWS HIPAA Eligible Services Reference are permitted for PHI. Services not on the list, such as Amazon CloudFront (unless using dedicated IP/SSL) or Amazon Route 53, cannot be used with PHI without violating the BAA.
Mistake
SOC reports are certifications like ISO 27001.
Correct
SOC reports are attestations, not certifications. They describe controls and test their effectiveness but do not certify compliance. ISO 27001 is a certification that requires an external audit and a certificate.
Mistake
You must pay extra to use PCI DSS compliant services.
Correct
There is no additional fee for using PCI-compliant AWS services. You pay only for the services you consume. The compliance designation is built into the service.
Mistake
The AWS PCI DSS AOC covers the customer's entire application.
Correct
The AOC covers only the AWS infrastructure. The customer is responsible for their own applications, configurations, and data handling practices. The AOC is just one piece of evidence for the customer's overall PCI assessment.
AWS Artifact is a self-service portal where you can download AWS compliance reports and manage agreements. To use it, log into the AWS Management Console, search for 'Artifact', and browse available reports such as SOC 2 Type II, PCI DSS AOC, and ISO 27001 certificate. You can also sign agreements like the Business Associate Addendum (BAA) for HIPAA. For the CLF-C02 exam, remember that AWS Artifact is the go-to place for compliance documentation.
SOC 1 reports focus on controls relevant to financial reporting. SOC 2 reports focus on controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 3 is a general-use version of SOC 2 that can be distributed publicly without an NDA. For the exam, know that SOC 2 is the most common for security audits and that Type II covers a period of time.
Yes, if you are a covered entity or business associate and you intend to store or process Protected Health Information (PHI) on AWS, you must sign a Business Associate Addendum (BAA) via AWS Artifact. The BAA is a legal contract that extends AWS's HIPAA responsibilities to you. Without a signed BAA, you cannot use AWS for PHI workloads, even if you use HIPAA eligible services.
Technically, you can use any AWS service, but only services that have been validated as PCI DSS compliant should be used for cardholder data. AWS provides a list of PCI DSS compliant services. Using non-validated services may increase your audit scope and require additional controls. For simplicity, it's best to use only services listed in the PCI DSS compliance scope. The exam may test that you should use validated services.
AWS is responsible for the security 'of' the cloud, meaning the physical data centers, network, and hypervisor. The customer is responsible for security 'in' the cloud, meaning their operating systems, applications, and data. For compliance, AWS provides certifications for the infrastructure layer, but the customer must ensure their configurations meet the relevant standards (e.g., enabling encryption, managing access). The exam often tests this distinction.
AWS SOC reports are typically updated annually. For example, SOC 2 Type II reports cover a 12-month period. You can download the latest report from AWS Artifact. The exam may ask about the period covered (e.g., Type II covers a period, Type I is a point in time).
Using a non-HIPAA eligible service for PHI violates the BAA and could result in non-compliance with HIPAA. AWS may terminate the BAA if you misuse services. You must ensure that all services used for PHI are on the HIPAA Eligible Services Reference list. For example, Amazon Route 53 is not eligible, so you should not use it to resolve DNS for PHI endpoints.
You've just covered AWS Compliance Programs (PCI, HIPAA, SOC) — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?