1.8 Data Protection, Compliance, and Audit Services
Key Takeaways
- AWS Artifact provides self-service, no-cost downloads of compliance reports (SOC, PCI DSS, ISO, HIPAA, FedRAMP) and agreements for auditors.
- AWS Audit Manager automates evidence collection from CloudTrail, Config, and Security Hub and maps it to frameworks like PCI DSS, SOC 2, and GDPR.
- AWS CloudTrail records every API call as an immutable audit trail essential to investigations, compliance, and governance.
- S3 Object Lock Compliance mode and Glacier Vault Lock provide WORM (Write Once Read Many) immutability for regulatory retention.
- A complete data-protection posture combines KMS encryption, CloudTrail logging, Config compliance rules, and WORM storage.
Quick Answer: Artifact = download AWS compliance reports (SOC, PCI, ISO). Audit Manager = automate audit-evidence collection. CloudTrail = API-call audit trail. S3 Object Lock (Compliance) = immutable WORM objects. Glacier Vault Lock = archive with an unchangeable WORM policy. Combine them for regulatory compliance.
AWS Artifact
AWS Artifact is the self-service portal for AWS's own audit reports and legal agreements — useful when an auditor asks how AWS itself is certified.
| Item | Detail |
|---|---|
| Reports | SOC 1/2/3, PCI DSS, ISO 27001/27017/27018, HIPAA, FedRAMP |
| Agreements | Business Associate Addendum (BAA) for HIPAA, NDA |
| Access | Self-service in the console |
| Cost | Free |
Artifact documents AWS's compliance, not yours — it does not assess your account's configuration.
AWS Audit Manager
AWS Audit Manager continuously collects evidence about your environment and maps it to compliance frameworks, replacing manual screenshot-gathering.
| Feature | Detail |
|---|---|
| Purpose | Automate audit evidence collection |
| Prebuilt frameworks | PCI DSS, SOC 2, GDPR, HIPAA, CIS benchmarks |
| Evidence sources | CloudTrail, AWS Config, Security Hub |
| Output | Audit-ready, assessment reports |
| Custom frameworks | Build your own control mappings |
AWS CloudTrail and AWS Config
These two are easy to confuse on the exam:
| Service | Answers the Question | Granularity |
|---|---|---|
| CloudTrail | "Who made which API call, when, from where?" | Per API event |
| AWS Config | "What is the configuration of this resource, and did it drift from compliance?" | Per resource state over time |
Enable a CloudTrail organization trail delivering to a locked S3 bucket in a separate Log Archive account for tamper-resistant, org-wide auditing. Config rules add continuous, detective compliance evaluation (for example, "flag any unencrypted EBS volume").
Immutable / WORM Retention
S3 Object Lock
| Mode | Who Can Delete/Overwrite During Retention |
|---|---|
| Governance | Only users with s3:BypassGovernanceRetention — i.e., privileged users can override |
| Compliance | No one — not even the root user |
| Legal Hold | Indefinite lock until explicitly removed; independent of a retention period |
Object Lock requires versioning and is ideally enabled at bucket creation.
Glacier Vault Lock
| Feature | Detail |
|---|---|
| Purpose | Apply an unchangeable WORM policy to a Glacier vault |
| Lifecycle | Create vault → initiate lock → 24-hour window to abort → lock becomes permanent |
| Once locked | Policy can never be changed or removed |
| Use cases | SEC Rule 17a-4, FINRA, long-term regulatory archives |
On the Exam: "Store financial records for 7 years so no one, including admins/root, can alter them" → S3 Object Lock in Compliance mode (or Glacier Vault Lock for archives). Governance mode is wrong here because privileged users could override it.
Compliance Decision Table
| Need | Service |
|---|---|
| Download AWS's SOC 2 / PCI report | AWS Artifact |
| Automate PCI/SOC 2 evidence collection | AWS Audit Manager |
| Audit who made API calls | AWS CloudTrail |
| Verify resources are configured correctly / detect drift | AWS Config |
| Immutable object storage (no override) | S3 Object Lock — Compliance |
| Immutable archive with a locked policy | Glacier Vault Lock |
| Centralized security findings + standards scoring | AWS Security Hub |
Common Trap: Artifact provides AWS's certifications; it does not prove your workload is compliant — that evidence comes from Audit Manager, Config, and CloudTrail.
CloudTrail Internals Worth Knowing
CloudTrail records three event categories: management events (control-plane actions like RunInstances, on by default and free for one copy), data events (high-volume object-level actions such as s3:GetObject and Lambda invokes, off by default and chargeable), and Insights events (machine-learning detection of unusual API rate patterns). For tamper resistance, deliver a trail to an S3 bucket with Object Lock in a separate Log Archive account and enable log-file validation, which produces hashed digest files that prove logs were not altered.
A multi-Region organization trail captures every account in one place — the recommended enterprise audit design.
Governance vs. Compliance: the Decisive Distinction
The single most-tested point in this section is S3 Object Lock mode. In Governance mode, a privileged user holding s3:BypassGovernanceRetention can delete or shorten retention — appropriate when you want immutability with an administrative override for legitimate corrections. In Compliance mode, no identity, including the account root, can delete or overwrite an object until its retention period elapses. Therefore any requirement that says "even administrators must not be able to delete" or cites SEC/FINRA-style mandates always points to Compliance mode (or Glacier Vault Lock for archives), never Governance.
Building a Layered Data-Protection Posture
Real architectures combine several services, and the exam rewards the holistic answer:
| Control Objective | Service |
|---|---|
| Encrypt data at rest with audited keys | KMS (SSE-KMS) |
| Encrypt data in transit | ACM / TLS, aws:SecureTransport policy |
| Record every API action | CloudTrail (with log-file validation) |
| Continuously check resource compliance | AWS Config rules |
| Immutable retention | S3 Object Lock (Compliance) / Glacier Vault Lock |
| Prove AWS's certifications to auditors | AWS Artifact |
| Automate your own audit evidence | AWS Audit Manager |
Exam framing: "Immutable for X years, no one can delete" → Object Lock Compliance or Vault Lock; "who called the API" → CloudTrail; "is the resource configured correctly" → Config; "give the auditor AWS's SOC report" → Artifact. Keeping these four jobs distinct resolves most Domain-1 compliance questions.
A financial services firm must retain trading records for seven years such that no one — including administrators and the root user — can modify or delete them. Which feature meets this requirement?
An external auditor requests AWS's SOC 2 and PCI DSS attestation reports for the platform the company runs on. Where are these obtained?
A company must automatically gather evidence from CloudTrail and AWS Config and map it to a SOC 2 framework ahead of an audit. Which service should they use?