ContentsAuthorVisit Press
Lesson 18

Compliance and Governance

AWS Config, AWS Artifact, CloudTrail, compliance programs, and data protection — demonstrating security posture to auditors

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records resource configurations, letting you automate the evaluation of recorded configurations against desired configurations.

What AWS Config Does

CapabilityDescription
Resource inventoryMaintains a list of all resources in the account with their current configuration state.
Configuration historyRecords changes over time — know what a resource looked like at any point in the past.
Relationship trackingShows how resources relate to each other (e.g., which EC2 instance uses which security group).
Compliance evaluationEvaluate configurations against rules (e.g., "Is encryption enabled on this EBS volume?").
Noncompliance flaggingResources found noncompliant are flagged. Dashboard shows compliance status at a glance.

Operational Notes

  • Regional service: Enable it in every Region you use. Alerts and rules are Region-scoped.
  • Aggregator: Optional feature that provides an aggregated view across multiple Regions and multiple accounts — useful for large organizations.
  • Config rules: Use AWS-managed rules (pre-built) or custom rules (Lambda-based).
  • Use cases: Compliance auditing, security analysis, change management, operational troubleshooting.
Config vs. CloudTrail: Config tells you what the configuration is and whether it's compliant. CloudTrail tells you who made the change and when. Both are critical for governance and audit. Config = "what changed." CloudTrail = "who changed it."

AWS CloudTrail (Governance Review)

CloudTrail tracks user activity and API usage. It logs all API requests to resources in all supported services — who did what, when, and from which IP address.

Key Points for Governance

  • Enabled by default: 90 days of management event history, free, viewable in Event history.
  • Create a Trail for retention: Send logs to an S3 bucket for permanent storage. Optionally deliver to CloudWatch Logs for alerting.
  • Apply to all Regions: A single Trail can cover all Regions. Or you can scope it per Region.
  • Governance value: Provides the audit trail required for compliance — proves what actions were taken and by whom.
  • Organizational Trails: For AWS Organizations, create a Trail that logs all activity across all member accounts.

AWS Artifact

AWS Artifact provides on-demand downloads of AWS security and compliance documents. You submit these audit artifacts to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure you use.

What You Get from Artifact

  • Compliance reports: ISO certifications (27001, 27017, 27018), PCI DSS, SOC 1/2/3 reports.
  • Agreements: Review, accept, and manage AWS agreements such as the Business Associate Agreement (BAA) for HIPAA compliance.
  • Multi-account: Accept an agreement once on behalf of all accounts in an AWS Organization.
Important note: AWS Artifact provides documents about AWS only. Customers are responsible for developing or obtaining documents that demonstrate the security and compliance of their own company.

AWS Compliance Programs

AWS engages with external certifying bodies and independent auditors to provide customers with information about the policies, processes, and controls established and operated by AWS. These programs fall into three categories:

CategoryDescriptionExamples
Certifications & AttestationsAssessed by third-party independent auditorsISO 27001, 27017, 27018, ISO 9001, SOC 1/2/3, PCI DSS Level 1
Laws, Regulations & PrivacyAWS provides security features and legal agreements to support complianceHIPAA, GDPR, ITAR, FedRAMP
Alignments & FrameworksIndustry- or function-specific security requirementsCIS, NIST, EU-US Privacy Shield, FIPS 140-2
Exam tip: When a question asks about "demonstrating AWS compliance to auditors," the answer is almost always AWS Artifact. When a question asks about "ensuring resources comply with internal policies," the answer is AWS Config.

Data Protection: Encryption and S3 Security

Encryption at Rest

Data stored physically on disk or tape can be encrypted using AWS KMS with the AES-256 algorithm. Services that support KMS encryption at rest include S3, EBS, EFS, RDS, DynamoDB, and Redshift. Encryption and decryption are handled automatically and transparently — no application changes needed.

Encryption in Transit

Data moving across the network is encrypted using TLS 1.2 (formerly SSL). AWS Certificate Manager provisions, manages, and deploys SSL/TLS certificates — and handles automatic renewal — for use with load balancers, CloudFront distributions, and API Gateway. HTTPS (HTTP over TLS) protects against eavesdropping and man-in-the-middle attacks.

Securing S3 Buckets and Objects

  • Default private: Newly created S3 buckets and objects are private and protected by default.
  • S3 Block Public Access: A straightforward setting that overrides all other policies. Enable it on all buckets that should not be publicly accessible.
  • Bucket policies: JSON resource-based policies. Use when the user/system cannot authenticate via IAM. Can grant cross-account access.
  • ACLs: Legacy access control mechanism. Less commonly used; avoid overly permissive ACL configurations.
  • Trusted Advisor bucket permission check: Free feature that identifies buckets with permissions granting global access.

Compliance & Governance Quiz

Select one answer per question. You will receive immediate feedback.

1. A company needs to provide an ISO 27001 certification report to their external auditors to demonstrate that AWS infrastructure meets security standards. Which AWS service should they use?
2. A company must ensure that all Amazon EBS volumes are encrypted. Which AWS service can automatically evaluate existing volumes and flag unencrypted ones as noncompliant?
3. A developer accidentally deleted a critical S3 bucket. Which AWS service would record the API call that performed the deletion, along with the user identity and timestamp?
4. A company stores customer data in S3 and must ensure no bucket is publicly accessible. Which feature provides the simplest way to prevent public access across all buckets?
5. A company deploys an HTTPS web application behind an Application Load Balancer. They need to manage the SSL/TLS certificate and ensure it renews automatically before expiration. Which service should they use?
Progress: 0/5 correct (0%). Answer all questions to see the final recommendation.
Primary Source: AWS Academy Module 4: AWS Cloud Security (module-4.txt) — Sections 5-6: Securing data, Encryption at rest/in transit, S3 security, Compliance programs, AWS Config, AWS Artifact.
Last updated: June, 2026© 2026 Shahriar Ahmed ShovonCredits