examhub .cc The most efficient path to the most valuable certifications.
Vol. I
In this note ≈ 21 min

AWS Cloud Security, Governance & Compliance

4,120 words · ≈ 21 min read

AWS cloud security, governance, and compliance are the three pillars that together keep your AWS workloads safe, auditable, and aligned with legal obligations. AWS security governance compliance covers preventive controls (who can do what), detective controls (who did what), and compliance programs (which regulatory standards AWS has been audited against). Task Statement 2.2 of the CLF-C02 exam expects you to identify AWS Config, AWS Organizations, AWS Control Tower, AWS CloudTrail, AWS Artifact, AWS KMS, and the main compliance programs (SOC, PCI DSS, HIPAA, ISO, FedRAMP, GDPR), and to know when each applies.

What is AWS Cloud Security, Governance & Compliance?

AWS security governance compliance is an umbrella phrase used across AWS documentation and the CLF-C02 exam guide to describe a coordinated capability set. Security means protecting data, systems, and identities. Cloud governance means setting guardrails so that dozens (or thousands) of AWS accounts stay consistent with policy. Compliance programs mean mapping your workloads to externally audited standards so regulators, auditors, and customers can trust what you operate on AWS.

At the Cloud Practitioner level, AWS security governance compliance is not about writing code. It is about recognizing which AWS service or compliance program solves which problem. Exam questions typically take the form: "A company needs to X — which AWS service/program should they use?" If you memorize the boundary between AWS Config (configuration history), AWS Organizations (multi-account policy), AWS CloudTrail (API audit log), AWS Artifact (downloadable compliance reports), and AWS KMS (encryption keys), you can answer nearly every 2.2 question reliably.

Why AWS security governance compliance matters for CLF-C02

Domain 2 ("Security and Compliance") carries 30% of the CLF-C02 weight — the single largest domain. Within Domain 2, Task 2.2 is the "concept" task that ties together the framework for all remaining security tasks. Because AWS cloud governance touches every service, exam-writers can generate hundreds of scenario questions from the same small vocabulary. Learning this vocabulary once unlocks a disproportionate number of right answers.

Scope of this topic vs adjacent topics

AWS security governance compliance is distinct from the shared responsibility model (that is Task 2.1) and from identity and access management (IAM — that is Task 2.3) and from the security service catalog (GuardDuty, Inspector, Macie — that is Task 2.4). In this topic the focus is governance services (Config, Organizations, Control Tower), audit services (CloudTrail), encryption primitives (KMS), and compliance programs. Keep that mental fence up while reading scenarios.

Plain-Language Explanation: AWS Cloud Security, Governance & Compliance

White-paper prose hides how intuitive AWS security governance compliance really is. Three analogies help cement the concepts.

Analogy 1 — The office building (door access, CCTV, fire-safety certificate)

Imagine a shared office building. Security is the locked front door and the badges employees swipe — that maps to AWS KMS encryption and IAM credentials. Governance is the building management rule that says "no smoking on any floor, every tenant must keep fire-extinguishers" — that maps to AWS Organizations service control policies (SCPs) and AWS Config rules. Compliance is the fire-safety certificate hanging in the lobby issued by a government inspector — that maps to AWS Artifact downloadable reports (SOC, ISO, PCI). The building owner did not invent the fire code; a regulator did. AWS did not invent HIPAA; the US Department of Health and Human Services did. AWS just gets audited and hands you the certificate.

Analogy 2 — The kitchen camera and the recipe binder

Run a commercial kitchen. Above every workstation is a security camera that records every single action cooks take — that is AWS CloudTrail, the audit log of every API call. On the wall is a thermometer and a humidity sensor whose readings feed the dashboard — that is Amazon CloudWatch, the operational monitoring system. On a shelf sits a ring-binder that lists every piece of equipment currently in the kitchen and what version each one is at, updated the moment anything changes — that is AWS Config, the configuration history service. Auditors read the camera tapes (CloudTrail) and the binder (Config). Chefs read the dashboard (CloudWatch). Candidates who confuse CloudTrail with CloudWatch fail questions because they mix "who did what" with "how hot is the oven".

Analogy 3 — The postal system and sealed envelopes

Think of AWS cloud governance as a national postal system. AWS Organizations is the post office headquarters: it decides which branches (AWS accounts) exist and what each one is allowed to ship via SCPs. AWS Control Tower is the startup kit that a new branch gets when it opens: pre-configured shelves, signage, and policy posters — a multi-account landing zone with guardrails already in place. AWS KMS is the sealed envelope service: every letter (S3 object, EBS volume, RDS row) can be sealed with a tamper-proof wax seal so only the intended recipient with the matching key can read it. AWS Artifact is the glass display case in the lobby containing the post office's audited certifications proving it meets ISO 27001, SOC 2, and other postal standards. Compliance programs are the standards themselves, set by external bodies.

Core Operating Principles — AWS Compliance Programs and Shared Governance

AWS security governance compliance operates on three overlapping principles: shared compliance, default safety, and audit-first design.

Shared compliance

Under the AWS shared responsibility model, AWS is compliant for the cloud and the customer is compliant in the cloud. AWS gets audited once per standard and publishes the report; you inherit those controls for the physical datacenter, the hypervisor, and the global network. You remain on the hook for your data classification, your IAM policies, your encryption choices, and your application code. Every CLF-C02 compliance question assumes this inheritance model.

Default safety via AWS Control Tower

AWS Control Tower sets up a multi-account landing zone with guardrails turned on by default: CloudTrail enabled in every account, AWS Config running, centralized logging archive, and a set of preventive SCPs. Rather than bolt governance on after the fact, Control Tower bakes it in at account creation time.

Audit-first design

Every action on AWS — whether from a human in the console or a Lambda function via the API — goes through AWS Identity and Access Management. Every API call is recorded by AWS CloudTrail. Every resource configuration is tracked by AWS Config. This means compliance programs have an evidence trail by default, without developers writing any extra code.

AWS does not make your application HIPAA-compliant just because AWS is HIPAA-eligible. You inherit AWS's controls for infrastructure, but you must still sign a Business Associate Addendum (BAA), enable encryption, restrict IAM, and use only HIPAA-eligible services for protected health information. Reference: https://aws.amazon.com/compliance/hipaa-compliance/

AWS Artifact — Where to Find Compliance Reports and Agreements

AWS Artifact is a self-service portal inside the AWS Management Console that hosts AWS's compliance reports (Artifact Reports) and legal agreements (Artifact Agreements). If an auditor asks you for AWS's SOC 2 Type II report, you log into AWS Artifact, accept the confidentiality terms, and download the PDF. No support ticket required.

Artifact Reports

Artifact Reports include SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Attestation of Compliance, FedRAMP packages, and dozens more. Each report is authored by an independent auditor (Ernst & Young, Deloitte, etc.) who has examined AWS infrastructure.

Artifact Agreements

Artifact Agreements are the legal documents you sign with AWS, such as the HIPAA Business Associate Addendum (BAA), the GDPR Data Processing Addendum (DPA), and the PCI DSS Responsibility Summary. Accepting an agreement flips a legal switch — for example, accepting the BAA makes your AWS account eligible to store PHI using HIPAA-eligible services.

How Artifact fits in compliance workflows

AWS Artifact does not make you compliant. Artifact is a document distribution service. The actual AWS security governance compliance work happens in AWS Config (are my resources configured correctly?), CloudTrail (who changed what?), and IAM (who can do what?). Artifact is what you show auditors; Config and CloudTrail are where you prove it.

AWS Artifact distributes AWS's externally audited compliance reports and agreements. AWS Config tracks your resource configuration history and evaluates it against rules. Artifact is about AWS the vendor; Config is about your account. Reference: https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html

Compliance Programs AWS Supports

AWS supports more than 140 compliance programs, but for the CLF-C02 exam you only need to recognize a core set of compliance programs and the industries they cover.

SOC 1, SOC 2, and SOC 3

SOC stands for System and Organization Controls, issued by the American Institute of Certified Public Accountants (AICPA). SOC 1 covers financial reporting controls, SOC 2 covers security, availability, confidentiality, processing integrity, and privacy, and SOC 3 is a public-facing summary version of SOC 2. AWS publishes all three in AWS Artifact.

PCI DSS

The Payment Card Industry Data Security Standard applies to any workload that stores, processes, or transmits credit card data. AWS is a Level 1 PCI DSS service provider — the highest merchant level — and publishes its Attestation of Compliance in AWS Artifact.

HIPAA

The US Health Insurance Portability and Accountability Act governs Protected Health Information (PHI). AWS offers a HIPAA-eligible services list and a Business Associate Addendum via AWS Artifact. Only HIPAA-eligible services (EC2, S3, RDS, Lambda, and dozens more) can be used to handle PHI.

ISO 27001, ISO 27017, ISO 27018

ISO 27001 is the international information security management standard. ISO 27017 is the cloud-specific extension. ISO 27018 covers protection of personally identifiable information (PII) in public clouds. AWS is certified on all three.

FedRAMP

The US Federal Risk and Authorization Management Program is the authorization framework for cloud services used by US federal agencies. AWS operates FedRAMP Moderate and FedRAMP High authorizations in dedicated AWS GovCloud (US) Regions as well as standard commercial Regions.

GDPR

The European Union General Data Protection Regulation governs personal data of EU residents. AWS offers a GDPR-aligned Data Processing Addendum via AWS Artifact and provides tooling (AWS Config, AWS Audit Manager) to support customer GDPR obligations. Compliance programs like GDPR require that the customer implement appropriate technical and organizational measures — AWS provides the platform, the customer implements the controls.

You do not need to memorize every control. You need to recognize: SOC is audit reports, PCI DSS is credit cards, HIPAA is US health data, ISO 27001 is international security, FedRAMP is US federal, GDPR is EU privacy. The portal to download evidence is AWS Artifact. Reference: https://aws.amazon.com/compliance/programs/

Data Residency and Data Sovereignty — Choose Your Region

Data residency is the physical location of data; data sovereignty is the legal jurisdiction that applies to it. AWS security governance compliance respects both by giving you explicit Region choice.

Region-level data control

Your data stays in the Region you choose. If you create an S3 bucket in eu-west-1 (Ireland), the objects do not leave EU-based AWS datacenters unless you explicitly copy them elsewhere or use a multi-Region service. This is enforced by AWS, not just promised.

Services that cross Regions

A handful of services operate globally by design — IAM, Route 53, CloudFront, AWS Organizations — so their metadata does not sit in a single Region. For a true single-Region deployment, combine SCPs with AWS Config rules that deny resource creation outside approved Regions.

AWS GovCloud and sovereign cloud options

For US government workloads requiring FedRAMP High and ITAR compliance, AWS operates AWS GovCloud (US) Regions — physically and logically separated from the commercial AWS partition. AWS also launched the AWS European Sovereign Cloud initiative to offer extra data sovereignty guarantees for EU customers. For cloud governance questions on the exam, remember: Region choice is the primary tool for data residency.

Common residency question pattern

"A company must store customer data in Germany only." The right answer picks the eu-central-1 (Frankfurt) Region and applies SCPs to deny resource creation anywhere else. The wrong answer talks about encryption — encryption protects confidentiality, not residency.

Encryption — AWS KMS and S3 Server-Side Encryption

Encryption is the workhorse of AWS security governance compliance. Whenever a CLF-C02 scenario mentions "at-rest" or "in-transit" protection, the answer almost always involves AWS Key Management Service (KMS).

AWS KMS fundamentals

AWS KMS is a managed service that creates and controls cryptographic keys used to encrypt data across more than 100 AWS services. KMS keys (formerly Customer Master Keys, or CMKs) come in three flavors for exam purposes: AWS-owned keys (invisible, AWS-managed, no charge), AWS-managed keys (visible in your account, AWS-rotated), and customer-managed keys (you create, you rotate, you set the policy).

AWS-managed keys vs customer-managed keys

AWS-managed keys have names like aws/s3 and aws/ebs. AWS creates one per service per account per Region, rotates them annually, and does not charge a key-storage fee. Customer-managed keys give you control over the key policy, rotation schedule, and grants — for exam purposes, choose customer-managed keys whenever the scenario mentions "custom key rotation," "cross-account key sharing," or "revoke access instantly."

S3 server-side encryption options

Amazon S3 supports four server-side encryption types. SSE-S3 uses AWS-managed keys inside S3. SSE-KMS uses a KMS key (AWS-managed aws/s3 or customer-managed) with optional audit via CloudTrail. SSE-C uses a key you supply on every request. DSSE-KMS performs dual-layer server-side encryption for extremely sensitive data. As of 2023 all new S3 object uploads are encrypted with SSE-S3 by default — no opt-in needed.

Encryption in transit

Encryption in transit uses TLS (SSL). Every AWS API endpoint accepts HTTPS. AWS Certificate Manager (ACM) issues and manages TLS certificates for CloudFront, Application Load Balancer, and API Gateway — included at no extra charge when the certificate is used with those services.

AWS CloudHSM

AWS CloudHSM is a hardware security module (HSM) service for customers who need FIPS 140-2 Level 3 single-tenant hardware isolation (financial services, defense). Most customers use KMS; CloudHSM is an advanced option only.

AWS KMS is the default answer for key management. Customer-managed keys when you need rotation or policy control. SSE-S3 is S3 default. ACM is for TLS. CloudHSM only for FIPS 140-2 Level 3 hardware requirements. Reference: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html

Governance Services — AWS Config

AWS Config is the configuration history and compliance evaluation service. Every CLF-C02 cloud governance question involving "track configuration" or "enforce configuration rule" maps to AWS Config.

What AWS Config records

AWS Config continuously records the configuration state of your AWS resources (EC2 instances, security groups, S3 buckets, IAM policies, and more) and stores configuration snapshots plus a full change history. If a security group opens port 22 to the world at 03:00, Config records the before and after state with timestamps and the IAM principal who made the change.

AWS Config rules

AWS Config rules evaluate your recorded configurations against a desired state. AWS ships dozens of managed rules (for example, s3-bucket-public-read-prohibited, encrypted-volumes, root-account-mfa-enabled). You can also author custom rules using AWS Lambda. When a resource drifts into non-compliance, Config flags it in the dashboard and can trigger remediation through AWS Systems Manager Automation documents.

AWS Config conformance packs

Conformance packs are collections of Config rules and remediation actions bundled to satisfy a compliance framework (NIST 800-53, PCI DSS, HIPAA Operational Best Practices). Deploy a conformance pack with one click and AWS Config starts evaluating dozens of rules at once.

AWS Config vs AWS CloudTrail

AWS Config answers "what did the configuration look like?" AWS CloudTrail answers "who made the change?" They complement each other. Security auditors usually need both: CloudTrail proves identity, Config proves state.

Governance Services — AWS Organizations and Service Control Policies

AWS Organizations is the multi-account management service that sits at the top of your AWS cloud governance stack. When a company passes a handful of accounts, Organizations becomes non-negotiable.

Organizational units (OUs) and hierarchy

Organizations lets you group accounts into organizational units (OUs), arranged as a tree rooted at the management account. Typical OUs: Security, Sandbox, Production, SDLC, Suspended. Each OU can inherit policies from parents.

Service control policies (SCPs)

Service control policies are the blunt hammer of AWS cloud governance. An SCP defines the maximum permissions any IAM principal in a target account can exercise. Even if an IAM policy says "Allow s3:*", if an SCP says "Deny s3:DeleteBucket", the deny wins. SCPs do not grant permissions; they only constrain them.

Consolidated billing and volume discounts

Organizations automatically consolidates billing across all member accounts into a single invoice sent to the management account. Consolidated billing also aggregates usage across accounts so you qualify for volume tiers and pooled Reserved Instance / Savings Plans benefits.

AWS Organizations vs IAM

IAM controls identity and permissions inside one account. Organizations controls policy across many accounts. SCPs are not IAM policies — they are Organizations policies that sit above IAM. A principal's effective permissions are the intersection of SCP, IAM identity policy, resource policy, permission boundary, and session policy.

Organizations offers two SCP strategies: allow-list (start from FullAWSAccess and subtract) or deny-list (start from Deny * and add). Most organizations use a deny-list of risky actions. SCPs affect every IAM user and role in the target account — including the root user. Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Governance Services — AWS Control Tower

AWS Control Tower is the quickest way to set up a multi-account AWS landing zone aligned with AWS best-practice guardrails. It sits on top of AWS Organizations.

What Control Tower provisions

A freshly deployed Control Tower landing zone includes: a management account, a log archive account (central CloudTrail and Config logs), a security audit account (for AWS Security Hub and GuardDuty consolidation), a shared services account, and a factory for new accounts using Account Factory. It enables AWS Config, AWS CloudTrail, AWS IAM Identity Center, and a catalog of preventive and detective guardrails automatically.

Guardrails

Control Tower guardrails are pre-packaged rules expressed as either SCPs (preventive) or AWS Config rules (detective). Mandatory guardrails cannot be disabled — for example, "Disallow changes to CloudTrail" is mandatory. Strongly recommended and elective guardrails can be toggled per OU.

Account Factory

Account Factory is a Service Catalog product that end-users can launch to vend a new AWS account with every baseline control already applied. This replaces ad-hoc account creation and ensures new accounts never lack foundational AWS cloud governance coverage.

Control Tower vs AWS Organizations

AWS Organizations is the raw API primitive. AWS Control Tower is the opinionated packaging around it — guardrails plus central logging plus Account Factory. If the exam scenario says "the company wants a multi-account landing zone with best-practice guardrails out of the box," the answer is Control Tower. If the scenario says "the company wants to apply an SCP to a specific OU," the answer is Organizations.

Audit and Logging — AWS CloudTrail

AWS CloudTrail is the single most important audit service on AWS. Every AWS security governance compliance review assumes CloudTrail is on.

What CloudTrail records

CloudTrail records every API call made in your account — console actions, CLI invocations, SDK calls from applications, internal AWS service calls. Each event captures the caller identity, source IP, timestamp, request parameters, and response. Events fall into three categories: management events (control plane — IAM changes, security group edits), data events (S3 object reads, Lambda invocations — opt-in, more voluminous), and insight events (anomalous API behavior).

CloudTrail trails

A trail is a configuration that ships CloudTrail events to durable storage (Amazon S3 bucket, optionally CloudWatch Logs, optionally EventBridge). A single trail can span all Regions and all accounts in an Organization — the gold-standard configuration for cloud governance.

CloudTrail Lake

CloudTrail Lake is a managed data lake that indexes CloudTrail events and lets you run SQL queries for investigations without exporting data to a third-party SIEM. Useful for forensic work during incidents.

CloudTrail vs CloudWatch — the canonical confusion

CloudTrail and CloudWatch are not interchangeable. CloudTrail is the audit log — who did what, when, from where. CloudWatch is the operational monitoring platform — metrics, alarms, dashboards, and application log aggregation. Compliance auditors read CloudTrail. Operations engineers read CloudWatch. On the CLF-C02 exam, any question that mentions "audit," "who did," "forensics," "non-repudiation," or "compliance evidence" points to CloudTrail. Any question that mentions "CPU utilization," "alarm," "dashboard," "application logs," or "auto-scaling trigger" points to CloudWatch.

CloudTrail = AUDIT log of every API call (who, what, when). CloudWatch = OPERATIONAL metrics, alarms, and log aggregation for performance. Compliance programs need CloudTrail. Auto-scaling needs CloudWatch. Mixing them up is the top-cited mistake in community CLF-C02 retrospectives. Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

AWS Audit Manager — Compliance Evidence Collection

AWS Audit Manager automates the evidence-collection process for compliance assessments. Audit Manager ships with frameworks for SOC 2, PCI DSS, HIPAA, GDPR, ISO 27001, FedRAMP, and more. It continuously gathers evidence (from AWS Config, CloudTrail, Security Hub, and other sources) and produces an assessment report you can hand to an external auditor. Audit Manager is a time-saver rather than a prerequisite — AWS security governance compliance works without it, but Audit Manager speeds up the paperwork.

AWS Well-Architected Security Pillar Alignment

The AWS Well-Architected Framework's Security pillar codifies the design principles that AWS security governance compliance services support. The pillar's seven design principles include "Implement a strong identity foundation" (IAM, Organizations), "Enable traceability" (CloudTrail, Config), "Apply security at all layers" (Security Groups, WAF, KMS), "Automate security best practices" (Config rules, Control Tower), "Protect data in transit and at rest" (ACM, KMS), "Keep people away from data" (automation), and "Prepare for security events" (incident response playbooks). Any CLF-C02 question asking "which pillar does this relate to?" with a security, governance, or compliance scenario maps to the Security pillar.

Key Numbers and Must-Memorize Facts

For CLF-C02 AWS cloud governance and compliance programs you do not need deep numeric mastery, but a handful of facts appear repeatedly.

  • AWS supports 140+ compliance programs (ballpark — the exam rarely asks for an exact number).
  • CloudTrail retains the last 90 days of management events for free in Event history, regardless of whether you configure a trail.
  • AWS Config captures configuration changes within minutes and stores history in an S3 bucket you designate.
  • SCPs can be attached at the root OU, child OU, or account level; they cascade downward.
  • AWS Control Tower requires AWS Organizations; it is not a standalone service.
  • KMS keys are Regional — a key in us-east-1 does not work in eu-west-1.
  • AWS Artifact is free. You access it through the AWS Management Console.

Common Exam Traps

Beyond CloudTrail vs CloudWatch, several other confusions burn CLF-C02 candidates on AWS security governance compliance questions.

AWS Artifact vs AWS Config

AWS Artifact is where you download AWS's third-party audit reports. AWS Config is where you track your own resource configuration state. These are often swapped in answer options.

AWS Organizations vs AWS Control Tower

Organizations is raw multi-account primitives (accounts, OUs, SCPs, consolidated billing). Control Tower is an opinionated landing-zone factory built on top of Organizations with baked-in guardrails. If the scenario says "deploy a new multi-account environment with best practices out of the box," choose Control Tower. If the scenario says "apply a policy across existing accounts," choose Organizations.

Compliance vs Security vs Governance terminology

Compliance programs are external standards (SOC, PCI, HIPAA). Security services implement controls (KMS, IAM, WAF). Cloud governance is the policy layer coordinating both (Config, Organizations, Control Tower). Questions sometimes test vocabulary directly.

KMS customer-managed vs AWS-managed keys

Customer-managed keys give you rotation and policy control. AWS-managed keys are automatic and invisible. Some scenarios require "ability to audit every key use" — that is possible with both but easier and more customizable with customer-managed keys plus CloudTrail.

Root account and SCPs

SCPs can constrain even the root user of a member account. But SCPs do not apply to the management account (the payer account) in AWS Organizations. This is a subtle trap that occasionally appears.

Security Governance vs Access Management — Scope Boundary

Task 2.2 covers AWS cloud governance and compliance programs. Task 2.3 covers access management (IAM, IAM Identity Center). The boundary matters for scoring.

AWS security governance compliance Task 2.2 owns: AWS Config, AWS Organizations, SCPs, AWS Control Tower, AWS CloudTrail, AWS Artifact, AWS KMS, ACM, compliance programs, data residency.

Task 2.3 owns: IAM users, IAM groups, IAM roles, IAM policies, MFA, root account protection, IAM Identity Center (SSO), federated access.

The overlap zone is AWS Organizations. Organizations enforces cloud governance across accounts (Task 2.2) but also impacts identity through IAM Identity Center integration (Task 2.3). Either task is a reasonable place to see it — the exam does not penalize you either way.

Practice Question Links — Task 2.2 Mapped Exercises

Expect CLF-C02 exam items in these shapes on AWS security governance compliance:

  1. "A company needs to download AWS's SOC 2 report for its auditor." Answer: AWS Artifact.
  2. "A company wants a single place to view every API call made in its AWS account for the last 90 days." Answer: AWS CloudTrail.
  3. "A security team needs to be alerted when an S3 bucket is made publicly readable." Answer: AWS Config rule (s3-bucket-public-read-prohibited).
  4. "A company needs to deploy a new multi-account environment with baseline guardrails." Answer: AWS Control Tower.
  5. "A compliance officer wants to ensure no AWS account in the Production OU can delete CloudTrail trails." Answer: service control policy (SCP) in AWS Organizations.
  6. "Which service provides keys for encrypting data at rest across AWS services?" Answer: AWS KMS.
  7. "A company storing EU citizen data needs AWS to sign a data processing agreement." Answer: AWS Artifact Agreements (GDPR DPA).
  8. "A US healthcare provider wants to store PHI on AWS." Answer: sign HIPAA BAA via AWS Artifact and use HIPAA-eligible services.

FAQ — AWS Security, Governance & Compliance Top Questions

Q1. What is the difference between AWS Artifact and AWS Config?

AWS Artifact is the portal that distributes AWS's external audit reports and legal agreements (SOC, PCI DSS, HIPAA BAA, GDPR DPA). AWS Config records your resource configuration history and evaluates it against compliance rules. Artifact is about AWS's compliance posture; Config is about your account's compliance posture. Both matter for AWS security governance compliance but they solve different problems.

Q2. Does AWS make my application HIPAA compliant automatically?

No. AWS is HIPAA-eligible, meaning AWS infrastructure has passed relevant audits. You still need to sign the HIPAA BAA via AWS Artifact, limit your deployment to HIPAA-eligible services, encrypt PHI at rest and in transit, restrict IAM access tightly, and configure logging. HIPAA is a shared responsibility like every other compliance program on AWS.

Q3. Should I use CloudTrail or CloudWatch for compliance auditing?

CloudTrail. CloudTrail records every AWS API call made in your account — who did what, when, from where. Auditors read CloudTrail because it provides the non-repudiable audit trail that compliance programs require. CloudWatch is an operational monitoring service for metrics, alarms, and application logs. They often work together (CloudTrail events can be streamed to CloudWatch Logs) but are not interchangeable.

Q4. When should I use a customer-managed KMS key instead of an AWS-managed key?

Choose a customer-managed KMS key when you need one of the following: custom rotation policy, cross-account key sharing, the ability to immediately revoke access by disabling the key, fine-grained key policies, or alignment with specific compliance programs that mandate customer-controlled key material. AWS-managed keys work fine for default encryption scenarios where you just want data at rest to be encrypted without operational overhead.

Q5. What is the difference between AWS Organizations and AWS Control Tower?

AWS Organizations is the foundational multi-account service that lets you create organizational units (OUs), apply service control policies, and consolidate billing. AWS Control Tower sits on top of AWS Organizations and provides an opinionated landing zone with best-practice guardrails, centralized logging, pre-configured Config and CloudTrail, and an Account Factory for provisioning new accounts. Organizations is the engine; Control Tower is the car built around it.

Q6. Can I use AWS Config to enforce compliance, or only to detect violations?

AWS Config primarily detects configuration drift against your declared rules. However, Config rules can trigger remediation actions through AWS Systems Manager Automation documents, which makes Config a detective control with automated remediation — effectively enforcing compliance in minutes. For true preventive control (stopping the violation before it happens), use service control policies in AWS Organizations.

Q7. Which AWS Region should I choose for GDPR-compliant workloads?

GDPR does not mandate a specific Region, but most organizations choose an EU Region (eu-west-1 Ireland, eu-central-1 Frankfurt, eu-north-1 Stockholm, eu-west-3 Paris, eu-south-1 Milan, eu-south-2 Spain, or eu-central-2 Zurich) to keep personal data within the EEA. Combine Region selection with SCPs that deny resource creation outside approved Regions, accept the GDPR Data Processing Addendum in AWS Artifact, and encrypt personal data with AWS KMS.

Further Reading

Official sources