Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/roxsross/aws-cloud-practitioner-complete-guide/llms.txt

Use this file to discover all available pages before exploring further.

Compliance is not optional for most organizations. Depending on your industry and the countries you operate in, you may be legally required to demonstrate that your systems meet specific data protection, security, and audit standards. Moving workloads to AWS does not eliminate compliance obligations — but it significantly reduces the effort required to meet them, because AWS has already invested in certifying the underlying infrastructure.
Key principle: AWS handles compliance of the underlying cloud infrastructure. You are responsible for compliance of the workloads you run on top of that infrastructure. This is the Shared Responsibility Model applied to compliance.

Why Compliance Matters in the Cloud

Before the cloud, organizations had to certify their own data centers against every applicable framework — an expensive, time-consuming, and recurring process. With AWS:
  • AWS already holds hundreds of compliance certifications covering the infrastructure layer.
  • Customers inherit the underlying compliance posture for physical security, hardware, and managed services.
  • Your audit scope is reduced because AWS provides third-party audit evidence you can present to your auditors.
  • You still own the compliance of your applications, data handling practices, IAM configurations, and network controls.

Major Compliance Frameworks and What They Cover

FrameworkRegion / ScopeIndustryKey Focus
SOC 1 / SOC 2 / SOC 3GlobalAllInternal controls over financial reporting and security/availability
PCI DSSGlobalFinancial / RetailProtection of cardholder data during payment processing
HIPAAUnited StatesHealthcarePrivacy and security of Protected Health Information (PHI)
GDPREuropean UnionAll (handling EU data)Individual data rights, consent, breach notification within 72 hours
ISO 27001GlobalAllInformation security management systems
FedRAMPUnited States (Federal)GovernmentStandardized cloud security authorization for federal agencies
SOXUnited States (Public Co.)FinancialAccuracy and integrity of financial reporting
HITRUSTGlobalHealthcare / FinanceUnified certifiable framework for risk management

AWS Artifact: Your Compliance Document Portal

AWS Artifact is the self-service portal where you can access AWS compliance reports, certifications, and legal agreements — on demand, at no additional cost.

Compliance Reports

Download third-party audit reports that AWS has already undergone — SOC 1, SOC 2, SOC 3, ISO 27001, PCI DSS Attestation of Compliance, FedRAMP packages, and more. Share these with your own auditors as evidence.

Agreements

Review and accept legal agreements directly in the console. The most common: the Business Associate Addendum (BAA) required for HIPAA and the Data Processing Addendum (DPA) required for GDPR.
Exam tip: AWS Artifact is the answer whenever a question asks about downloading compliance documentation, obtaining audit reports, or accessing AWS compliance certifications. It is free, self-service, and available directly in the AWS console.
How to use AWS Artifact:
1

Open AWS Artifact in the console

Navigate to AWS Artifact from the AWS Management Console. No setup required — it is available to all AWS accounts.
2

Browse available reports

Reports are organized by category (SOC, ISO, PCI, government, etc.). Each report shows its validity period and the services it covers.
3

Download reports for your auditors

Download reports as PDFs. These are official third-party audit documents that auditors accept as evidence of AWS’s compliance posture.
4

Accept required agreements

For HIPAA workloads, accept the BAA. For GDPR, accept the DPA. Agreements can be managed at the account or organization level.

AWS Audit Manager

AWS Audit Manager continuously collects evidence of your AWS usage and maps it to compliance frameworks. Instead of manually gathering screenshots and configuration exports for an audit, Audit Manager automates the evidence collection process.

Pre-built Frameworks

Audit Manager includes pre-built frameworks for HIPAA, PCI DSS, SOC 2, GDPR, NIST 800-53, and more. Each framework maps AWS controls to specific requirements.

Continuous Evidence Collection

As you operate, Audit Manager collects configuration snapshots, CloudTrail logs, and Config evaluations as evidence — automatically, without manual data gathering.
When to use it: Use Audit Manager when preparing for recurring audits. It reduces the manual work of gathering evidence and helps teams stay continuously audit-ready rather than scrambling before an audit date.

AWS Config for Compliance Monitoring

AWS Config is the engine behind automated compliance checking in AWS. Config Rules evaluate whether your resources meet your defined standards and flag resources that fall out of compliance. Types of Config Rules:
Pre-built rules maintained by AWS for common compliance checks. You enable them with one click — no coding required.
Rule NameWhat It Checks
root-mfa-enabledRoot account has MFA enabled
s3-bucket-public-access-prohibitedNo S3 bucket has public access enabled
encrypted-volumesAll EBS volumes are encrypted
rds-storage-encryptedRDS instances use storage encryption
iam-password-policyAccount has a strong IAM password policy
cloudtrail-enabledCloudTrail is enabled in the account
mfa-enabled-for-iam-console-accessAll console users have MFA enabled

Shared Responsibility in Compliance

The Shared Responsibility Model applies directly to compliance. Understanding this boundary is essential for the exam:

AWS's Compliance Responsibilities

  • Physical security and environmental controls at data centers
  • Hardware lifecycle, secure decommissioning
  • Hypervisor and host OS security
  • Managed service platform security (e.g., the RDS engine, Lambda runtime)
  • Third-party audits of AWS infrastructure (results available via Artifact)
  • Compliance certifications for the underlying infrastructure (SOC, ISO, PCI, FedRAMP)

Customer's Compliance Responsibilities

  • Application code security and configuration
  • IAM policies, MFA enforcement, and access management
  • Data classification, encryption choices, and retention policies
  • Network configuration (VPC, security groups, NACLs)
  • OS patching for EC2 instances
  • Audit logging and monitoring configuration (CloudTrail, Config)
  • Signing required agreements (BAA for HIPAA, DPA for GDPR)
A practical example: AWS holds PCI DSS certification for the infrastructure that runs RDS. If you build a payment application on RDS, you inherit AWS’s physical and platform compliance — but you are still responsible for securing database users, encrypting cardholder data, restricting network access, and maintaining audit logs of who accessed what.

Key Compliance Services Summary

What it is: A self-service portal to download AWS compliance reports and manage legal agreements.Use it when:
  • An auditor asks for evidence of AWS’s compliance certifications
  • You need to sign a BAA (HIPAA) or DPA (GDPR) with AWS
  • You want to review which AWS services are covered under PCI DSS or FedRAMP
Cost: Free to access.
What it is: A service that maps your AWS usage to compliance frameworks and automatically collects audit evidence.Use it when:
  • You face recurring compliance audits (SOC 2, HIPAA, PCI DSS)
  • You want to stay continuously audit-ready rather than scrambling before each audit
  • You need to demonstrate compliance to third-party assessors with structured evidence
Cost: Charged per resource assessed per month.
What it is: A service that continuously evaluates AWS resource configurations against compliance rules and tracks changes over time.Use it when:
  • You need to detect configuration drift (e.g., someone opens a security group to 0.0.0.0/0)
  • You want automated alerts when a resource falls out of compliance
  • You need a configuration history for forensic investigations or audits
Cost: Charged per Config Rule evaluation and per configuration item recorded.
What it is: A centralized security and compliance dashboard that aggregates findings from GuardDuty, Inspector, Macie, Config, and others.Use it when:
  • You want a single security score across your account
  • You need to see compliance status against CIS Benchmarks, PCI DSS, or NIST standards in one view
  • You operate multiple accounts and want organization-wide compliance visibility
Cost: Charged per finding ingested and per compliance check.

Common Compliance Scenarios

Requirement: Protect Protected Health Information (PHI) stored and processed in AWS.AWS steps:
  1. Sign the Business Associate Addendum (BAA) via AWS Artifact
  2. Deploy only on HIPAA-eligible services (EC2, S3, RDS, Lambda, and many more)
  3. Enable encryption at rest (KMS) for all data stores containing PHI
  4. Enable CloudTrail to maintain audit logs of all access
  5. Restrict network access using VPC, security groups, and private subnets
  6. Enable AWS Config with HIPAA conformance pack to monitor ongoing compliance
Exam tip: For HIPAA, always mention the BAA. Without the BAA, AWS cannot be a compliant Business Associate under HIPAA.
Exam tip: AWS Artifact is your go-to answer for any question about downloading compliance documentation, accessing AWS audit reports, or obtaining certifications to show an auditor. It is free, self-service, and requires no additional setup.
Common mistake: Assuming that because AWS is certified for PCI DSS or HIPAA, your application is automatically compliant. AWS’s certification covers their infrastructure. Your application, data handling, access controls, and configurations must be independently assessed.

Build docs developers (and LLMs) love