This chapter covers non-compliance risks on AWS, a critical topic for the CLF-C02 exam under Domain 2: Security and Compliance, Objective 2.4 (10-15% of exam). Understanding these risks helps you identify how misconfigurations, lack of controls, and audit failures can lead to data breaches, fines, or loss of customer trust. We'll explore real AWS services like AWS Config, GuardDuty, and Security Hub, and show you exactly what the exam tests about compliance failures.
Jump to a section
Imagine you run a bank. You hire a security company (AWS) to build a vault and manage access. The vault has multiple layers: a front door, a hallway, an inner door, and the safe deposit boxes. You, as the bank owner, are responsible for setting policies: who gets keys, when they can enter, and what they can touch. AWS provides the physical structure, alarms, and monitoring, but if you leave the inner door unlocked or give a key to someone who doesn't need it, you are non-compliant. Even if the security company's cameras work perfectly, you still face fines from regulators because you failed to follow your own access rules. In AWS, this is the Shared Responsibility Model: AWS secures the cloud (the building), but you secure what's inside (the vault contents). Non-compliance occurs when you fail to configure your part correctly—like leaving an S3 bucket public (unlocked door) or not encrypting data (no lock on deposit boxes). The mechanism is that AWS provides tools (like AWS Config, IAM, CloudTrail) to help you lock doors and monitor who enters, but you must actually use them. If you don't, you face penalties, just like a bank fined for a security breach caused by owner negligence.
What Are Non-Compliance Risks and Why Do They Matter?
Non-compliance risks refer to the potential for failing to meet regulatory, legal, or internal security standards when using AWS. The cloud does not automatically make you compliant; you must actively configure services to adhere to frameworks like GDPR, HIPAA, PCI DSS, or SOC 2. AWS operates under a Shared Responsibility Model: AWS is responsible for the security OF the cloud (physical infrastructure, hypervisor, network), while you are responsible for security IN the cloud (data, configurations, access management). Non-compliance occurs when you neglect your part—for example, leaving an S3 bucket publicly accessible, failing to encrypt data at rest, or not rotating IAM keys.
How Non-Compliance Happens: The Mechanism
Non-compliance typically arises from three root causes:
Misconfiguration: Incorrectly setting service parameters. Example: Creating an S3 bucket with a bucket policy that allows s3:GetObject from Principal: "*". This makes all objects readable by anyone on the internet. AWS defaults are often secure (e.g., S3 blocks public access by default), but if you explicitly override them, you introduce risk.
Lack of Auditing and Monitoring: Not enabling services that track changes or detect threats. AWS Config records resource configurations and evaluates them against rules. If you don't enable AWS Config or set up rules, you won't know when a security group opens port 22 to 0.0.0.0/0. Similarly, CloudTrail logs API calls; without it, you can't audit who made changes.
Insufficient Access Controls: Overly permissive IAM policies or not using least privilege. For example, granting AdministratorAccess to a developer who only needs to read logs. This increases the blast radius of a compromised account.
Key AWS Services for Managing Compliance
AWS Config: A service that evaluates your AWS resource configurations against desired policies. It uses managed rules (e.g., s3-bucket-public-read-prohibited) or custom rules (Lambda functions) to check compliance. You get a compliance score and history of changes. Pricing: $0.003 per configuration item recorded per region, plus $0.001 per rule evaluation per region (free tier: 10,000 evaluations/month).
AWS CloudTrail: Records all API calls made in your account. Essential for auditing and forensic analysis. By default, management events are logged for 90 days in CloudTrail Event History. For longer retention and data events (e.g., S3 GetObject), you need a trail delivering logs to S3. Pricing: $2.00 per 100,000 management events; $0.10 per 100,000 data events (first 200,000 data events free).
AWS Security Hub: Aggregates findings from multiple services (GuardDuty, Inspector, Macie, etc.) and provides a compliance score against standards like CIS AWS Foundations, PCI DSS, and AWS Foundational Security Best Practices. It helps you prioritize remediation.
Amazon GuardDuty: A threat detection service that uses machine learning to identify malicious activity. It monitors CloudTrail logs, VPC Flow Logs, and DNS logs. Findings can indicate non-compliance (e.g., an EC2 instance communicating with a known malicious IP).
AWS Audit Manager: Helps continuously audit your AWS usage to simplify compliance with regulations. It automates evidence collection and creates reports.
Comparison to On-Premises
In on-premises environments, you own the entire stack, so you have full control but also full responsibility. Compliance often involves manual audits, spreadsheets, and physical inspections. In AWS, many compliance controls are automated, but you must configure them. The risk shifts from physical security to configuration errors. For example, an on-premises firewall misconfiguration might be caught during a manual review, but in AWS, a misconfigured security group can be exposed to the internet within seconds. AWS provides tools to detect misconfigurations, but they are opt-in.
When to Use Each Service
Use AWS Config when you need continuous monitoring of resource configurations against internal or external standards. It's ideal for compliance frameworks that require evidence of configuration history.
Use CloudTrail for all accounts to capture API activity. It's mandatory for most compliance programs.
Use Security Hub if you need a single pane of glass for security alerts and compliance status across multiple accounts (via AWS Organizations).
Use GuardDuty for threat detection; it complements Config by finding active threats rather than just misconfigurations.
Common Compliance Frameworks and AWS Support
HIPAA: Requires encryption of protected health information (PHI). AWS provides HIPAA-eligible services (e.g., S3 with SSE-S3 or SSE-KMS). You must sign a Business Associate Addendum (BAA). Non-compliance risk: storing PHI in a non-encrypted S3 bucket.
PCI DSS: For credit card data. Requires network segmentation, access control, and logging. AWS Config has managed rules for PCI (e.g., restricted-common-ports). Non-compliance risk: allowing SSH from 0.0.0.0/0 on a cardholder data environment.
GDPR: Requires data protection by design. AWS Artifact provides reports. Non-compliance risk: not enabling encryption or not deleting data upon request.
The Cost of Non-Compliance
Non-compliance can lead to financial penalties (e.g., GDPR fines up to 4% of global revenue), legal liability, reputational damage, and loss of business. On AWS, you may also face service disruptions if AWS suspends your account due to abuse (e.g., an open S3 bucket hosting malware). The exam focuses on identifying risky configurations and knowing which services mitigate them.
Enable AWS Config
Go to the AWS Config console and click 'Get started'. Choose to record all resources or a subset. Set up an S3 bucket to store configuration history and a SNS topic for notifications. Then add rules: you can use AWS managed rules like 's3-bucket-public-read-prohibited' or create custom rules using AWS Lambda. AWS Config will start evaluating your resources against these rules. Behind the scenes, AWS Config uses a configuration recorder that snapshots resource configurations at intervals (default: every 1 hour). Each snapshot is a configuration item (CI). You pay $0.003 per CI per region. Important: AWS Config does not prevent non-compliance; it only detects and reports it.
Review Compliance Dashboard
After enabling AWS Config and adding rules, the dashboard shows overall compliance status (compliant, non-compliant, or insufficient data). You can filter by rule or resource. For each non-compliant resource, you see the specific violation (e.g., 'S3 bucket policy allows public access'). You can click to see the resource's configuration timeline. This helps you understand when the non-compliance started. AWS Config also provides remediation actions: you can set up automatic remediation using Systems Manager Automation documents. For example, you can create a remediation that automatically applies a bucket policy to block public access. However, automatic remediation can have unintended consequences, so test thoroughly.
Enable CloudTrail
In the CloudTrail console, create a trail. Choose to apply to all regions (recommended) or a single region. Specify an S3 bucket for log delivery. You can also enable log file validation (creates a digest file to verify integrity). CloudTrail will start logging management events (control plane) by default. For data events (e.g., S3 object-level operations), you must enable them separately (additional cost). Pricing: first copy of management events free in CloudTrail Event History (90 days); for longer retention, you pay for S3 storage and data events. CloudTrail is essential for compliance because it records who did what, when, and from where. Without it, you cannot audit changes.
Set Up Security Hub
In Security Hub, enable it by choosing the standards you want to monitor: CIS AWS Foundations, PCI DSS, and AWS Foundational Security Best Practices. Security Hub will automatically aggregate findings from AWS Config, GuardDuty, Inspector, Macie, and Firewall Manager. You get a consolidated findings dashboard with severity levels. Security Hub also provides a compliance score for each standard. For example, under CIS, it checks if IAM password policy requires uppercase letters. If not, it's non-compliant. You can then take remediation steps. Pricing: $0.10 per account per month for the first 100,000 findings, then $0.0005 per additional finding. Security Hub helps you prioritize the most critical non-compliance issues.
Enable GuardDuty
Activate GuardDuty from the console. It takes about 30 minutes to start generating findings. GuardDuty uses machine learning to analyze CloudTrail events, VPC Flow Logs, and DNS logs. It generates findings like 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' if an EC2 instance is using its role credentials outside AWS. GuardDuty findings appear in Security Hub if integrated. You can set up automated responses using EventBridge and Lambda (e.g., isolate an EC2 instance). GuardDuty is not a compliance tool per se, but it detects active threats that could lead to non-compliance (e.g., data exfiltration that violates GDPR). It's a best practice to enable it in all regions.
Use AWS Audit Manager
Audit Manager helps automate evidence collection for audits. You create an assessment framework (e.g., for HIPAA) and it automatically collects evidence from AWS Config, CloudTrail, Security Hub, and other services. It organizes evidence into control sets and generates reports. For example, for control 'Encryption of data at rest', Audit Manager will collect evidence from S3 bucket policies, KMS keys, and Config rules. This reduces manual effort. Pricing: based on the number of assessment reports and resources. Audit Manager is useful when you need to prove compliance to external auditors. Non-compliance risk: if you don't use it, you might miss evidence gaps.
Scenario 1: Healthcare Startup and HIPAA Compliance
A healthcare startup stores patient records in Amazon S3. They enable default encryption (SSE-S3) but do not set up AWS Config rules to check for public access. A developer accidentally modifies a bucket policy to allow read access to a third-party analytics service. Because there is no monitoring, the bucket remains publicly accessible for two weeks. A security researcher discovers it and reports it. The startup faces a HIPAA violation because PHI was exposed. They incur fines and legal costs. If they had enabled AWS Config with the rule s3-bucket-public-read-prohibited, they would have received an alert within minutes of the change. They also lacked CloudTrail to trace who made the change. Cost considerations: AWS Config costs ~$3 per month for a small number of resources, far less than the potential penalty.
Scenario 2: E-commerce Company and PCI DSS
An e-commerce company processes credit card payments. They use EC2 instances behind an Application Load Balancer. Their security group allows SSH (port 22) from 0.0.0.0/0 for 'emergency access'. This violates PCI DSS requirement 1.3.1 (restrict inbound traffic). The company does not use AWS Config, so they are unaware. During a PCI audit, the auditor identifies the open port. The company fails the audit and must pay for a re-audit. They also risk losing the ability to process credit cards. If they had enabled AWS Config with the managed rule restricted-common-ports (which checks for SSH, RDP, etc. from 0.0.0.0/0), they would have been alerted. They could then restrict SSH to a bastion host or a specific IP range. Cost: negligible compared to audit failure.
Scenario 3: Financial Services and SOC 2
A financial services firm uses AWS Organizations with 50 accounts. They need to ensure that all accounts have CloudTrail enabled and that logs are delivered to a central S3 bucket. Without a central monitoring tool, some accounts are missing CloudTrail. The firm uses AWS Config aggregator to view compliance across accounts. They set up a Config rule cloudtrail-enabled and see that 5 accounts are non-compliant. They then use AWS Systems Manager Automation to enable CloudTrail in those accounts. If they had not used Config, they might have failed a SOC 2 audit. Cost: Config aggregator costs based on number of accounts and rules. The automation saves manual effort.
What CLF-C02 Tests on Non-Compliance Risks
Objective 2.4 focuses on identifying risks that arise from failing to use AWS compliance and audit services. The exam expects you to know:
The Shared Responsibility Model and that customers are responsible for compliance IN the cloud.
Which AWS services help detect non-compliance (AWS Config, Security Hub, GuardDuty, CloudTrail, Audit Manager).
Specific misconfigurations that cause non-compliance: public S3 buckets, open security groups, unencrypted data, missing CloudTrail, over-permissive IAM roles.
How to remediate: AWS Config rules and automatic remediation.
Common Wrong Answers and Why
'AWS automatically ensures compliance' – Wrong because compliance is shared. AWS provides tools but you must configure them.
'AWS Config prevents non-compliance' – Wrong; Config only detects and reports, it does not block changes. It can trigger remediation but not prevent the initial action.
'CloudTrail is only for security incidents' – Wrong; CloudTrail is also for compliance auditing.
'Security Hub replaces AWS Config' – Wrong; Security Hub aggregates findings from Config and others, but Config is still needed for configuration tracking.
Specific Terms and Values
AWS Config: Managed rules like s3-bucket-public-read-prohibited, restricted-common-ports, cloudtrail-enabled, iam-password-policy.
CloudTrail: Management events (free), data events (paid).
Security Hub: Standards: CIS AWS Foundations, PCI DSS, AWS Foundational Security Best Practices.
GuardDuty: Findings like UnauthorizedAccess:EC2/SSHBruteForce.
Shared Responsibility Model: AWS responsible for security OF the cloud; customer responsible for security IN the cloud.
Tricky Distinctions
AWS Config vs. CloudTrail: Config tracks resource configurations (what changed); CloudTrail tracks API calls (who made the change). Both are needed for full audit.
Security Hub vs. GuardDuty: Security Hub is a central dashboard for compliance and security findings; GuardDuty is a threat detection service. Security Hub includes GuardDuty findings but also others.
AWS Config vs. AWS Systems Manager: Config evaluates compliance; Systems Manager can automate remediation but is not a compliance evaluator.
Decision Rule for Multiple Choice
If the question asks about 'identifying non-compliant resource configurations', choose AWS Config. If it asks about 'auditing API calls', choose CloudTrail. If it asks about 'aggregating security findings across services', choose Security Hub. If it asks about 'threat detection', choose GuardDuty. For 'automated evidence collection for audits', choose Audit Manager.
Non-compliance risks arise from misconfigurations, lack of auditing, and insufficient access controls.
AWS Config evaluates resource configurations against rules; it does not prevent non-compliance.
CloudTrail records API calls; essential for auditing and forensic investigations.
Security Hub aggregates findings from multiple services and provides compliance scores.
GuardDuty detects active threats that may indicate compliance violations.
The Shared Responsibility Model means customers are responsible for compliance IN the cloud.
Common non-compliant configurations: public S3 buckets, open security groups, unencrypted data, missing CloudTrail.
Automatic remediation can be set up using AWS Config rules and Systems Manager Automation.
These come up on the exam all the time. Here's how to tell them apart.
AWS Config
Evaluates resource configurations against rules
Provides configuration history and compliance timeline
Can trigger automatic remediation via Systems Manager
Priced per configuration item recorded and rule evaluation
Use case: detect misconfigured S3 bucket policies
AWS CloudTrail
Records API calls (who, what, when, source IP)
Provides audit logs for forensic analysis
Cannot automatically remediate, but can trigger alerts via CloudWatch Events
Priced per management event and data event
Use case: determine who deleted a resource
Mistake
AWS is responsible for all compliance.
Correct
The Shared Responsibility Model splits responsibility: AWS secures the infrastructure, but customers must configure services correctly to meet compliance requirements.
Mistake
Enabling AWS Config automatically makes my account compliant.
Correct
AWS Config only evaluates resources against rules; it does not enforce compliance. You must act on non-compliant findings.
Mistake
CloudTrail logs all API calls by default forever.
Correct
CloudTrail Event History retains management events for 90 days. For longer retention and data events, you must create a trail and store logs in S3.
Mistake
Security Hub replaces the need for AWS Config.
Correct
Security Hub aggregates findings from AWS Config but does not replace it. Config still provides configuration history and compliance evaluations.
Mistake
If I use encryption, I am fully compliant with data protection regulations.
Correct
Encryption is one aspect. You also need access controls, auditing, and proper key management (e.g., KMS key rotation). Non-compliance can still occur if encryption keys are mismanaged.
The main cause is misconfiguration of services by the customer, such as leaving S3 buckets public, not enabling encryption, or allowing overly permissive security group rules. AWS provides tools to detect these issues, but customers must use them.
AWS Config continuously evaluates your resource configurations against rules (managed or custom). It provides a compliance dashboard, configuration history, and can trigger automatic remediation. It does not block changes but alerts you to non-compliance.
AWS Config tracks resource configurations (what changed), while CloudTrail records API calls (who made the change). Both are needed for a complete audit trail. For example, Config can show that an S3 bucket became public, and CloudTrail can show which user changed the policy.
Yes, most compliance frameworks require logging of API activity. CloudTrail is the primary service for this. Without it, you cannot prove who made changes or when, which is critical for audits.
Yes, you can set up automatic remediation using AWS Config rules with Systems Manager Automation documents. For example, you can automatically apply a bucket policy to block public access. However, test carefully to avoid unintended disruptions.
It divides security responsibilities between AWS and the customer. AWS secures the cloud infrastructure (physical, hypervisor, network), while the customer secures data, configurations, and access within the cloud. Non-compliance often results from neglecting customer-side responsibilities.
AWS Security Hub provides a compliance score for standards like CIS AWS Foundations, PCI DSS, and AWS Foundational Security Best Practices. It aggregates findings from multiple services and shows your compliance posture.
You've just covered Non-Compliance Risks on AWS — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?