2.4 Compliance and Governance
Key Takeaways
- AWS Artifact provides on-demand access to AWS compliance reports and agreements (SOC, PCI DSS, HIPAA BAA, ISO 27001).
- AWS Config continuously monitors and records AWS resource configurations and evaluates them against desired configurations.
- AWS Organizations lets you centrally manage multiple AWS accounts with consolidated billing and Service Control Policies (SCPs).
- Service Control Policies (SCPs) set permission guardrails across an entire AWS Organization — they restrict what accounts CAN do.
- AWS complies with numerous global standards (ISO, SOC, PCI DSS, HIPAA, FedRAMP, GDPR) but compliance is a shared responsibility.
Compliance and Governance
AWS Compliance Programs
AWS maintains compliance with a wide range of global security and compliance standards. Understanding that AWS provides the compliant infrastructure while the customer ensures their usage of AWS is compliant is critical.
Common Compliance Standards
| Standard | Description | Relevance |
|---|---|---|
| SOC 1/2/3 | Service Organization Control reports | Financial reporting and security controls |
| PCI DSS | Payment Card Industry Data Security Standard | Processing credit card data |
| HIPAA | Health Insurance Portability and Accountability Act | Healthcare data in the US |
| FedRAMP | Federal Risk and Authorization Management Program | US government workloads |
| GDPR | General Data Protection Regulation | EU personal data protection |
| ISO 27001 | International security standard | Information security management |
| ISO 27017 | Cloud-specific security controls | Cloud security practices |
| ISO 27018 | Protection of PII in the cloud | Personal data in cloud environments |
| CSA STAR | Cloud Security Alliance assessment | Cloud security posture |
Compliance is a Shared Responsibility
| AWS's Compliance Responsibility | Customer's Compliance Responsibility |
|---|---|
| Physical data center compliance | Configuring services to meet compliance requirements |
| Infrastructure-level certifications | Data classification and protection |
| Maintaining compliance reports | User access management and auditing |
| Global infrastructure security | Application-level compliance controls |
AWS Artifact
AWS Artifact is a self-service portal that provides on-demand access to AWS compliance documentation and agreements.
Two main sections:
| Section | What It Provides |
|---|---|
| Artifact Reports | AWS compliance reports (SOC, PCI, ISO) — download and share with auditors |
| Artifact Agreements | Review and accept agreements like the HIPAA Business Associate Addendum (BAA) |
On the Exam: If a question asks where to find AWS compliance reports or how to download SOC reports, the answer is AWS Artifact.
AWS Config
AWS Config is a service that continuously monitors and records your AWS resource configurations. It answers the question: "What did my AWS environment look like at a specific point in time?"
Key capabilities:
- Configuration recording — Track how resources are configured and how they change over time
- Compliance evaluation — Define rules (e.g., "all S3 buckets must have encryption enabled") and check if resources comply
- Configuration history — View the timeline of changes to any resource
- Remediation — Automatically fix non-compliant resources
Common AWS Config Rules:
- Ensure S3 buckets are not publicly accessible
- Ensure EBS volumes are encrypted
- Ensure CloudTrail is enabled
- Ensure IAM root user has MFA enabled
On the Exam: AWS Config is for resource configuration tracking and compliance. CloudTrail is for API call logging. Do not confuse them.
AWS Organizations
AWS Organizations is a service for centrally managing and governing multiple AWS accounts.
Key Features
| Feature | Description |
|---|---|
| Consolidated Billing | Single payment method for all accounts; volume discounts apply across accounts |
| Organizational Units (OUs) | Group accounts into logical units (e.g., Production, Development, Finance) |
| Service Control Policies (SCPs) | Set permission boundaries across accounts/OUs |
| Account Creation | Programmatically create new AWS accounts |
| Tag Policies | Enforce standardized tagging across accounts |
Service Control Policies (SCPs)
SCPs are the central control mechanism in AWS Organizations. They set the maximum permissions that accounts in an Organization can have.
Important SCP facts:
- SCPs do NOT grant permissions — they only restrict what is allowed
- SCPs apply to all users and roles in the affected accounts, including the root user
- SCPs do NOT affect the management (master) account
- SCPs work alongside IAM policies — the effective permission is the intersection of SCP and IAM policy
Example: An SCP that denies all EC2 actions in the "Development" OU would prevent any user in any Development account from launching EC2 instances, regardless of their IAM permissions.
AWS Control Tower
AWS Control Tower automates the setup and governance of a secure, multi-account AWS environment. It builds on top of AWS Organizations.
Key features:
- Landing Zone — Automated setup of a multi-account environment with best practices
- Guardrails — Pre-configured governance rules (preventive and detective)
- Account Factory — Automated provisioning of new accounts with pre-configured settings
- Dashboard — Centralized visibility of compliance status
Governance Quick Reference
| Service | What It Does |
|---|---|
| AWS Organizations | Centrally manage multiple AWS accounts |
| Service Control Policies | Set permission boundaries across accounts |
| AWS Control Tower | Automated multi-account governance setup |
| AWS Config | Track resource configurations and compliance |
| AWS Artifact | Access compliance reports and agreements |
| AWS CloudTrail | Log API activity for auditing |
| AWS Audit Manager | Automate evidence collection for audits |
Where can a company download AWS compliance reports like SOC and PCI DSS reports?
A company wants to ensure that all S3 buckets across their AWS accounts have encryption enabled. Which AWS service should they use to continuously monitor this requirement?
What is the purpose of Service Control Policies (SCPs) in AWS Organizations?
Which AWS service provides automated setup and governance of a secure, multi-account AWS environment?