Compliance is not optional for most organizations. Depending on your industry and the countries you operate in, you may be legally required to demonstrate that your systems meet specific data protection, security, and audit standards. Moving workloads to AWS does not eliminate compliance obligations — but it significantly reduces the effort required to meet them, because AWS has already invested in certifying the underlying infrastructure.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/roxsross/aws-cloud-practitioner-complete-guide/llms.txt
Use this file to discover all available pages before exploring further.
Key principle: AWS handles compliance of the underlying cloud infrastructure. You are responsible for compliance of the workloads you run on top of that infrastructure. This is the Shared Responsibility Model applied to compliance.
Why Compliance Matters in the Cloud
Before the cloud, organizations had to certify their own data centers against every applicable framework — an expensive, time-consuming, and recurring process. With AWS:- AWS already holds hundreds of compliance certifications covering the infrastructure layer.
- Customers inherit the underlying compliance posture for physical security, hardware, and managed services.
- Your audit scope is reduced because AWS provides third-party audit evidence you can present to your auditors.
- You still own the compliance of your applications, data handling practices, IAM configurations, and network controls.
Major Compliance Frameworks and What They Cover
| Framework | Region / Scope | Industry | Key Focus |
|---|---|---|---|
| SOC 1 / SOC 2 / SOC 3 | Global | All | Internal controls over financial reporting and security/availability |
| PCI DSS | Global | Financial / Retail | Protection of cardholder data during payment processing |
| HIPAA | United States | Healthcare | Privacy and security of Protected Health Information (PHI) |
| GDPR | European Union | All (handling EU data) | Individual data rights, consent, breach notification within 72 hours |
| ISO 27001 | Global | All | Information security management systems |
| FedRAMP | United States (Federal) | Government | Standardized cloud security authorization for federal agencies |
| SOX | United States (Public Co.) | Financial | Accuracy and integrity of financial reporting |
| HITRUST | Global | Healthcare / Finance | Unified certifiable framework for risk management |
AWS Artifact: Your Compliance Document Portal
AWS Artifact is the self-service portal where you can access AWS compliance reports, certifications, and legal agreements — on demand, at no additional cost.Compliance Reports
Download third-party audit reports that AWS has already undergone — SOC 1, SOC 2, SOC 3, ISO 27001, PCI DSS Attestation of Compliance, FedRAMP packages, and more. Share these with your own auditors as evidence.
Agreements
Review and accept legal agreements directly in the console. The most common: the Business Associate Addendum (BAA) required for HIPAA and the Data Processing Addendum (DPA) required for GDPR.
Open AWS Artifact in the console
Navigate to AWS Artifact from the AWS Management Console. No setup required — it is available to all AWS accounts.
Browse available reports
Reports are organized by category (SOC, ISO, PCI, government, etc.). Each report shows its validity period and the services it covers.
Download reports for your auditors
Download reports as PDFs. These are official third-party audit documents that auditors accept as evidence of AWS’s compliance posture.
AWS Audit Manager
AWS Audit Manager continuously collects evidence of your AWS usage and maps it to compliance frameworks. Instead of manually gathering screenshots and configuration exports for an audit, Audit Manager automates the evidence collection process.Pre-built Frameworks
Audit Manager includes pre-built frameworks for HIPAA, PCI DSS, SOC 2, GDPR, NIST 800-53, and more. Each framework maps AWS controls to specific requirements.
Continuous Evidence Collection
As you operate, Audit Manager collects configuration snapshots, CloudTrail logs, and Config evaluations as evidence — automatically, without manual data gathering.
AWS Config for Compliance Monitoring
AWS Config is the engine behind automated compliance checking in AWS. Config Rules evaluate whether your resources meet your defined standards and flag resources that fall out of compliance. Types of Config Rules:- AWS Managed Rules
- Custom Rules
- Conformance Packs
Pre-built rules maintained by AWS for common compliance checks. You enable them with one click — no coding required.
| Rule Name | What It Checks |
|---|---|
root-mfa-enabled | Root account has MFA enabled |
s3-bucket-public-access-prohibited | No S3 bucket has public access enabled |
encrypted-volumes | All EBS volumes are encrypted |
rds-storage-encrypted | RDS instances use storage encryption |
iam-password-policy | Account has a strong IAM password policy |
cloudtrail-enabled | CloudTrail is enabled in the account |
mfa-enabled-for-iam-console-access | All console users have MFA enabled |
Shared Responsibility in Compliance
The Shared Responsibility Model applies directly to compliance. Understanding this boundary is essential for the exam:AWS's Compliance Responsibilities
- Physical security and environmental controls at data centers
- Hardware lifecycle, secure decommissioning
- Hypervisor and host OS security
- Managed service platform security (e.g., the RDS engine, Lambda runtime)
- Third-party audits of AWS infrastructure (results available via Artifact)
- Compliance certifications for the underlying infrastructure (SOC, ISO, PCI, FedRAMP)
Customer's Compliance Responsibilities
- Application code security and configuration
- IAM policies, MFA enforcement, and access management
- Data classification, encryption choices, and retention policies
- Network configuration (VPC, security groups, NACLs)
- OS patching for EC2 instances
- Audit logging and monitoring configuration (CloudTrail, Config)
- Signing required agreements (BAA for HIPAA, DPA for GDPR)
A practical example: AWS holds PCI DSS certification for the infrastructure that runs RDS. If you build a payment application on RDS, you inherit AWS’s physical and platform compliance — but you are still responsible for securing database users, encrypting cardholder data, restricting network access, and maintaining audit logs of who accessed what.
Key Compliance Services Summary
AWS Artifact — On-Demand Compliance Documentation
AWS Artifact — On-Demand Compliance Documentation
What it is: A self-service portal to download AWS compliance reports and manage legal agreements.Use it when:
- An auditor asks for evidence of AWS’s compliance certifications
- You need to sign a BAA (HIPAA) or DPA (GDPR) with AWS
- You want to review which AWS services are covered under PCI DSS or FedRAMP
AWS Audit Manager — Continuous Compliance Evidence Collection
AWS Audit Manager — Continuous Compliance Evidence Collection
What it is: A service that maps your AWS usage to compliance frameworks and automatically collects audit evidence.Use it when:
- You face recurring compliance audits (SOC 2, HIPAA, PCI DSS)
- You want to stay continuously audit-ready rather than scrambling before each audit
- You need to demonstrate compliance to third-party assessors with structured evidence
AWS Config — Resource Configuration Compliance Monitoring
AWS Config — Resource Configuration Compliance Monitoring
What it is: A service that continuously evaluates AWS resource configurations against compliance rules and tracks changes over time.Use it when:
- You need to detect configuration drift (e.g., someone opens a security group to 0.0.0.0/0)
- You want automated alerts when a resource falls out of compliance
- You need a configuration history for forensic investigations or audits
AWS Security Hub — Compliance Standards Dashboard
AWS Security Hub — Compliance Standards Dashboard
What it is: A centralized security and compliance dashboard that aggregates findings from GuardDuty, Inspector, Macie, Config, and others.Use it when:
- You want a single security score across your account
- You need to see compliance status against CIS Benchmarks, PCI DSS, or NIST standards in one view
- You operate multiple accounts and want organization-wide compliance visibility
Common Compliance Scenarios
- Healthcare (HIPAA)
- Payment Processing (PCI DSS)
- EU Data Privacy (GDPR)
- US Government (FedRAMP)
Requirement: Protect Protected Health Information (PHI) stored and processed in AWS.AWS steps:
- Sign the Business Associate Addendum (BAA) via AWS Artifact
- Deploy only on HIPAA-eligible services (EC2, S3, RDS, Lambda, and many more)
- Enable encryption at rest (KMS) for all data stores containing PHI
- Enable CloudTrail to maintain audit logs of all access
- Restrict network access using VPC, security groups, and private subnets
- Enable AWS Config with HIPAA conformance pack to monitor ongoing compliance
