1.8 Data Protection, Compliance, and Audit Services
Key Takeaways
- AWS Artifact provides on-demand access to AWS compliance reports (SOC, PCI, ISO, HIPAA) and agreements for audit purposes.
- AWS Audit Manager automates evidence collection for audits and maps to compliance frameworks like PCI DSS, SOC 2, and GDPR.
- AWS CloudTrail provides a complete audit trail of all API calls — essential for security investigations, compliance, and governance.
- S3 Object Lock (Compliance mode) and Glacier Vault Lock provide WORM (Write Once Read Many) storage for regulatory data retention.
- Use a combination of KMS encryption, CloudTrail logging, Config compliance rules, and S3 Object Lock to build a comprehensive data protection strategy.
Data Protection, Compliance, and Audit Services
Quick Answer: Artifact = download compliance reports (SOC, PCI, ISO). Audit Manager = automate audit evidence collection. CloudTrail = API call audit trail. S3 Object Lock (Compliance) = immutable storage. Glacier Vault Lock = archive with WORM policy. Use these together for regulatory compliance.
AWS Artifact
AWS Artifact provides on-demand access to AWS security and compliance reports.
| Feature | Detail |
|---|---|
| Reports | SOC 1/2/3, PCI DSS, ISO 27001, HIPAA, FedRAMP |
| Agreements | BAA (Business Associate Addendum for HIPAA), NDA |
| Access | Self-service from AWS Console |
| Cost | Free |
| Use case | Provide compliance documentation to auditors |
AWS Audit Manager
| Feature | Detail |
|---|---|
| Purpose | Automate evidence collection for audits |
| Frameworks | PCI DSS, SOC 2, GDPR, HIPAA, CIS benchmarks (prebuilt) |
| Evidence | Automatically collects from CloudTrail, Config, Security Hub |
| Reports | Generate audit-ready reports |
| Custom frameworks | Create custom frameworks for internal controls |
Data Retention Compliance
S3 Object Lock
| Mode | Behavior |
|---|---|
| Governance | Users with specific IAM permissions CAN override |
| Compliance | NO ONE can override — not even root account |
| Legal Hold | Prevents deletion until hold is explicitly removed |
Glacier Vault Lock
| Feature | Detail |
|---|---|
| Purpose | Apply a WORM policy to a Glacier vault |
| Immutability | Once locked, the policy CANNOT be changed |
| Use case | Regulatory archives (SEC Rule 17a-4, FINRA) |
| Implementation | Create vault → initiate lock → 24-hour window to abort → lock becomes permanent |
On the Exam: "Store financial records for 7 years with immutable protection" → S3 Object Lock (Compliance mode) or Glacier Vault Lock. "Download AWS compliance reports for an audit" → AWS Artifact.
Compliance Decision Tree
| Need | Service |
|---|---|
| "Download AWS SOC 2 report" | AWS Artifact |
| "Automate evidence collection for PCI audit" | AWS Audit Manager |
| "Audit who made API calls" | CloudTrail |
| "Verify resources are configured correctly" | AWS Config |
| "Immutable data storage for regulations" | S3 Object Lock (Compliance) |
| "Archive with WORM policy" | Glacier Vault Lock |
| "Centralized security findings" | Security Hub |
A financial services company needs to store trading records for 7 years in a way that prevents anyone, including administrators, from modifying or deleting the records. Which S3 feature should they use?
An auditor requests AWS compliance reports (SOC 2, PCI DSS) for a company's AWS environment. Where can these reports be obtained?
A company needs to automate evidence collection from CloudTrail and AWS Config to prepare for a SOC 2 audit. Which service should they use?