What Compliance Audit Means on AWS for SCS-C02
Compliance audit on AWS is the systematic, evidence-backed process of proving that every running resource matches the rules an organization has accepted, whether those rules come from external regulators (PCI DSS, HIPAA, FedRAMP, NIST SP 800-53) or internal policies. The SCS-C02 exam treats compliance audit as a Domain 6 capability that combines four pillars: continuous configuration evaluation through AWS Config, evidence aggregation through AWS Audit Manager, sensitive data discovery through Amazon Macie, and findings consolidation through AWS Security Hub. Domain 6 tasks 6.3 and 6.4 also pull in cost-side compliance audit signals through Cost Explorer and Cost Anomaly Detection, because unexpected resource spend is a leading indicator of compromise.
A compliance audit on AWS is never a one-time scan. It is a continuous compliance audit loop where AWS Config records every configuration change, conformance packs codify a complete compliance audit framework, Audit Manager collects evidence on a recurring cadence, and Security Hub correlates findings across services. The exam expects you to know which compliance audit service produces which artifact, how a compliance audit aggregator extends scope across an AWS Organization, and how a compliance audit feeds back into remediation through SSM Automation documents.
Understanding compliance audit at this depth matters because SCS-C02 questions almost never ask "what does AWS Config do" in isolation; they ask which compliance audit service to combine with another for a specific outcome. A compliance audit answer that mentions Audit Manager when the scenario asks for continuous configuration evaluation is wrong; a compliance audit answer that mentions Config when the scenario asks for regulator-ready evidence packages is wrong. The taxonomy below lets you eliminate distractors quickly.
A continuous, evidence-backed evaluation of AWS resource configurations and data handling against a defined control set, performed by AWS Config (state), Audit Manager (evidence), Macie (data classification), and Security Hub (consolidated findings). Required scope, frequency, and evidence form differ by framework (PCI DSS, HIPAA, FedRAMP, ISO 27001, SOC 2). AWS Compliance overview
Why Compliance Audit Is a Standalone Domain 6 Skill
Compliance audit deserves its own task statement because the skills are different from threat detection (Domain 1) or data protection (Domain 5). Compliance audit is about provability, not prevention. A compliance audit run on a perfectly secure environment will still fail if you cannot produce timestamped evidence. The exam tests whether you can pick the service that produces the right kind of compliance audit artifact for the auditor.
How Tasks 6.3 and 6.4 Map to Real Services
Task 6.3 covers data classification (Macie), Config rules for noncompliance detection, and evidence collection through Security Hub plus Audit Manager. Task 6.4 covers cost anomaly identification, attack surface reduction, and the Well-Architected Tool security pillar review.
Quick Reference Compliance Audit Service Map
| Compliance audit goal | Primary service | Secondary service | Evidence artifact |
|---|---|---|---|
| Resource configuration drift | AWS Config | Config aggregator | Config snapshot, timeline |
| Codified rule set deployment | Conformance pack | Organizations StackSet | Pack deployment status |
| Regulator-ready evidence | AWS Audit Manager | Config + CloudTrail + Security Hub | Assessment report ZIP |
| Sensitive data discovery | Amazon Macie | S3 + EventBridge | Macie finding (PII categories) |
| Cross-service findings hub | AWS Security Hub | GuardDuty, Inspector, Macie, Config | ASFF finding, automation rule |
| Best-practice quick check | AWS Trusted Advisor | Support API | Check status (red/yellow/green) |
| Cost-based security signal | Cost Anomaly Detection | Cost Explorer | Anomaly alert with root cause |
| Architectural review | Well-Architected Tool | Custom lens | Workload milestone, improvement plan |
This compliance audit map is the cheat sheet. Memorize the column for "Evidence artifact" because the exam often hides the answer in what you must hand to an external auditor.
Plain-Language Explanation: Compliance Audit
The Open-Book Exam Analogy
A compliance audit on AWS is exactly like an open-book exam where the proctor demands you keep showing your work, not just the final answer. AWS Config is the running notebook that timestamps every change you make. Audit Manager is the binder that gathers all your annotated pages into a tidy submission packet. Macie is the highlighter that flags every line containing sensitive personal information. Security Hub is the front cover that summarizes how you scored on each section.
If a regulator turns up unannounced and asks "show me your compliance audit position right now", you do not start writing answers on the spot. You hand over the binder Audit Manager has been quietly assembling for the past quarter. Without that binder, even a perfect environment looks like an unprepared student.
The Restaurant Health Inspection Analogy
Think of a compliance audit like a restaurant health inspection. AWS Config is the fridge thermometer log the head chef keeps every hour. Conformance packs are the printed checklist the inspector brings, covering "fridge below 4 C, hand-wash sink working, no expired stock". Audit Manager is the framed binder by the cash register containing photos, signed checklists, and timestamped temperature logs. Macie is the food-safety officer who walks through and tags every container marked "raw chicken" so it never touches the salad station.
A restaurant that only runs the inspector's checklist on inspection day fails because there is no historical compliance audit evidence. A restaurant that has been logging temperature every hour for six months passes effortlessly. Same on AWS: continuous compliance audit always wins over point-in-time scans.
The Toolbox Analogy
A compliance audit toolkit is like a Swiss Army knife where each blade does one thing well. AWS Config is the screwdriver that examines every screw (resource) and notes whether it is loose. Audit Manager is the labeled toolbox tray that organizes screws by frame they belong to (HIPAA, PCI, FedRAMP). Macie is the metal detector that finds hidden bolts (PII) you forgot were embedded in the wall (an S3 bucket). Security Hub is the workbench where you lay out every finding from every blade so you can decide what to fix first.
The mistake beginners make is using one blade for everything. You cannot use Config to produce a HIPAA evidence binder, and you cannot use Audit Manager to fix a misconfigured SG. The compliance audit Swiss Army knife works only when you reach for the right blade for the right cut.
AWS Config Deep Dive for Compliance Audit
AWS Config is the foundation of most compliance audit workflows on AWS. Config continuously records the configuration state of every supported resource in every region you enable it in. Each change generates a configuration item (CI), and Config evaluates that CI against rules. Config rules are the smallest unit of compliance audit logic on AWS.
Enable Config recording in every region you operate in (or every region globally, if your compliance audit framework requires it). A common SCS-C02 trap is the question that says "Config is enabled" but quietly mentions only one region. If a resource exists in an unrecorded region, Config produces zero compliance audit evidence and conformance packs report green incorrectly. Use a Config aggregator across the AWS Organization for compliance audit at scale. AWS Config recording
Managed Rules vs Custom Lambda Rules
AWS publishes 270+ managed Config rules covering well-known patterns like s3-bucket-public-read-prohibited, iam-password-policy, rds-storage-encrypted, and restricted-ssh. Managed rules are the first stop for any compliance audit baseline because they are version-pinned, AWS-maintained, and free to invoke (you pay only the per-evaluation rate).
Custom Config rules run on AWS Lambda. The compliance audit logic lives in your Lambda function, which receives a CI as input and returns COMPLIANT, NON_COMPLIANT, or NOT_APPLICABLE. Custom rules also support AWS Config Custom Policy rules written in Guard DSL (no Lambda needed), which the exam now references as the modern alternative.
Config Aggregator for Multi-Account Compliance Audit
A Config aggregator collects compliance audit data from multiple accounts and regions into one view. Aggregators support two source types: individual account list, or full AWS Organization. The Organization source is the recommended pattern because it auto-discovers new accounts as they join. Aggregators are read-only; they do not push rules. To deploy rules organization-wide you use a conformance pack with the Organization deployment option.
Advanced Queries for Custom Compliance Audit Reports
Config Advanced Queries use a SQL-like syntax to query CIs across accounts and regions. A compliance audit report like "every public S3 bucket across the organization, grouped by account" is one Advanced Query. The query result feeds directly into auditor-facing dashboards.
Config Remediation with SSM Automation
Compliance audit without remediation is theatre. Config integrates with AWS Systems Manager Automation documents to remediate non-compliant resources automatically or on-demand. You attach a remediation action to a rule, choose automatic or manual, set retry attempts, and Config invokes the SSM document when the rule transitions to NON_COMPLIANT.
Set new compliance audit remediation actions to manual for the first month so you can review which resources Config flagged before SSM mass-modifies them. Once you trust the rule, switch to automatic with a retry count of 3 to handle transient failures. The exam often tests this distinction. Remediating non-compliant resources
Conformance Packs for Codified Compliance Audit
Conformance packs are the AWS-native way to deploy a complete compliance audit framework as code. A pack is a YAML or JSON template that bundles Config rules plus optional remediation actions, deployed as a unit. AWS publishes pre-built conformance packs for CIS, PCI DSS, NIST 800-53, HIPAA, FedRAMP, ISO 27001, AWS Foundational Best Practices, and many others.
Organization-Wide Pack Deployment
In a compliance audit at scale, you deploy a conformance pack once at the Organization level (from the management account or a delegated administrator) and Config replicates the pack to every member account. Updates to the pack template propagate automatically. This is the multi-account compliance audit pattern SCS-C02 expects.
Custom Conformance Packs
You can author your own conformance pack to encode internal compliance audit policies. The pack template references managed rules, custom Lambda rules, and remediation SSM documents. Version-control the YAML in git so the compliance audit baseline is auditable end-to-end.
- A conformance pack = set of Config rules + optional SSM remediations, deployed as one unit.
- Org-wide deployment requires Config recording enabled in every member account.
- Pre-built packs exist for CIS, PCI DSS, HIPAA, NIST 800-53, FedRAMP, AWS FSBP, ISO 27001.
- Pack compliance score = % of resources passing all rules in the pack.
- Pack templates are YAML/JSON; store in git for compliance audit traceability. Conformance pack documentation
AWS Audit Manager for Evidence-Driven Compliance Audit
AWS Audit Manager is the compliance audit service that produces auditor-ready evidence packages. Audit Manager continuously collects evidence by querying AWS Config, AWS CloudTrail, AWS Security Hub, and resource APIs, then maps each piece of evidence to a control inside a framework.
Frameworks and Custom Frameworks
Audit Manager ships with 35+ pre-built frameworks: PCI DSS v3.2.1, HIPAA, FedRAMP Moderate, GDPR, SOC 2, NIST SP 800-53, AWS Foundational Best Practices. You can also build a custom framework by selecting controls from the Audit Manager control library or by authoring a custom control with manual evidence prompts.
Assessments and Evidence Collection
An assessment is a running compliance audit instance scoped to specific accounts and a specific framework. Audit Manager organizes evidence into four categories:
- Configuration data from AWS Config (resource state).
- User activity from CloudTrail (who did what, when).
- Compliance check from Security Hub (control failure findings).
- Manual evidence (uploaded screenshots, documents, attestations).
Evidence is collected automatically and aggregated by control. When the audit window closes, Audit Manager generates an evidence ZIP per control set that the external auditor consumes.
Audit Manager does not configure resources, does not enforce policies, and does not detect threats. Its sole compliance audit role is evidence aggregation and reporting. If a question asks how to prevent a control violation, Audit Manager is wrong; the answer is Config rules, SCPs, or Security Hub controls. If a question asks how to prove compliance to a regulator, Audit Manager is right. Audit Manager concepts
Delegated Reviewer Workflow
Audit Manager supports a delegated reviewer model where the compliance audit owner assigns specific control sets to subject matter experts (SMEs) who can review and annotate evidence before final report generation. This keeps the compliance audit team small while distributing review.
Amazon Macie for Data Classification Compliance Audit
Amazon Macie is the compliance audit service for data classification. Macie scans S3 buckets and uses managed data identifiers (60+ pre-built patterns covering credit card numbers, SSNs, passport numbers, OAuth tokens, AWS access keys, healthcare codes) plus custom data identifiers (your own regex + keyword combinations).
Automated Discovery vs Sensitive Data Discovery Jobs
Macie has two scanning modes that the exam loves to compare:
- Automated sensitive data discovery — Macie continuously samples objects across all S3 buckets in the account using statistical sampling. Low cost, broad coverage, sensitivity score per bucket. The bucket-level sensitivity score is updated continuously.
- Sensitive data discovery jobs — User-configured one-time or scheduled deep scans of specific buckets and prefixes. Higher cost, full-object analysis, fine-grained findings. Use for compliance audit attestation of a specific dataset.
A frequent SCS-C02 trap: a scenario describes PII in an RDS Postgres database and offers Macie as a choice. Macie operates only on S3 objects. For non-S3 stores you need separate compliance audit tooling: column tagging in Glue Data Catalog, a custom Lambda that pulls samples to S3, or a third-party DLP product. Choosing Macie for non-S3 sources is a wrong-answer eliminator. Macie supported sources
Custom Data Identifiers
Custom data identifiers (CDIs) let you encode internal compliance audit categories Macie does not ship by default — employee ID format, internal customer ID, proprietary product codes. A CDI combines a regex with optional keywords, a maximum match distance, and a severity level. CDIs work in both automated discovery and discovery jobs.
Integration with Security Hub
Macie findings flow into Security Hub via the AWS Security Finding Format (ASFF). Each Macie finding describes the bucket, object key, sensitive category detected, and count of occurrences. Security Hub automation rules can route findings — for example, automatically open a ServiceNow ticket when severity is HIGH and bucket lacks encryption.
Security Hub Standards for Continuous Compliance Audit
AWS Security Hub is the compliance audit aggregator. Security Hub centralizes findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Config, and partner integrations, and runs its own controls organized into compliance audit standards.
The Four Major Standards
- AWS Foundational Security Best Practices (FSBP) — AWS's baseline; ~280 controls covering services from EC2 to KMS. Default for new Security Hub accounts.
- CIS AWS Foundations Benchmark — community-driven; v1.4.0 and v3.0.0 are the current versions on Security Hub.
- PCI DSS — payment card industry; controls scoped to PCI in-scope resources.
- NIST SP 800-53 Rev 5 — US federal baseline; large control catalog.
You enable any combination per account. Each standard is a curated set of Config rules plus Security Hub-native controls. The compliance audit score (0-100%) is computed per standard from passing/failing controls.
Disabling Controls
Some compliance audit controls are inappropriate for specific architectures (e.g., a control mandating CloudTrail in a region you do not use). Security Hub lets you disable controls per account or organization-wide. Disabling a control removes it from the score calculation.
Security Hub central configuration (released 2023) lets you define a single configuration policy and propagate it to every account in your AWS Organization. Without central configuration, every new account requires manual standard enablement, which causes compliance audit drift across the org. Always combine central configuration with a Config aggregator for unified coverage. Security Hub central configuration
Automation Rules
Security Hub automation rules (also released 2023) let you mutate findings automatically. Common compliance audit patterns:
- Suppress findings tagged
BusinessJustified=true. - Elevate severity to CRITICAL when a Macie finding affects a public bucket.
- Auto-assign findings to a security team based on resource tags.
Automation rules run inside Security Hub before findings reach EventBridge, so downstream consumers see the mutated finding.
Trusted Advisor for Lightweight Compliance Audit Checks
AWS Trusted Advisor is the original compliance audit lite. Trusted Advisor runs across five categories: cost optimization, performance, security, fault tolerance, and service limits.
Security Checks
Trusted Advisor security checks (Business or Enterprise Support tier required for full set) cover:
- IAM use (root account access keys, MFA on root, password policy).
- S3 bucket public access permissions.
- Security groups with unrestricted inbound (0.0.0.0/0 on common ports).
- ELB listener security.
- Public snapshots (RDS, EBS).
- Exposed Access Keys (scans GitHub).
- CloudTrail logging enabled.
Trusted Advisor's security checks overlap with Security Hub FSBP, but Trusted Advisor is not a compliance audit reporting tool — it produces no ASFF findings, no per-control compliance audit score, and no evidence package. Use Trusted Advisor for quick spot checks; use Security Hub for continuous compliance audit and Audit Manager for evidence. Trusted Advisor checks reference
Identifying Unused Resources
Task 6.4 explicitly calls out unused resource identification. Trusted Advisor checks for:
- Idle load balancers (low request count).
- Underutilized EC2 instances (low CPU and network).
- Unassociated Elastic IPs.
- Idle RDS DB instances.
- Low-utilization EBS volumes.
Combine Trusted Advisor's unused-resource view with Cost Explorer to size the compliance audit attack surface — every unused resource is an unattended door.
Cost Explorer and Cost Anomaly Detection as Security Signals
Cost-side compliance audit is task 6.4's killer concept. Unexpected cost spikes are a leading indicator of credential compromise, crypto-mining, or data exfiltration.
Cost Anomaly Detection
Cost Anomaly Detection uses machine learning to baseline normal spend per service, account, or cost category and alerts when spend deviates beyond a threshold. You configure:
- Monitor type — AWS services, linked accounts, cost categories, or cost allocation tags.
- Alert threshold — absolute USD value or percentage deviation.
- Notification channel — SNS topic or email.
A typical compliance audit pattern: a monitor on Amazon EC2 per linked account, threshold $500, SNS to the security team. A spike above baseline often correlates with GuardDuty findings (e.g., CryptoCurrency:EC2/BitcoinTool.B!DNS).
The SCS-C02 exam specifically tests cost-as-security thinking. A 10x EC2 cost spike in us-east-2 at 03:00 UTC, paired with UnauthorizedAccess:EC2/RDPBruteForce, is the canonical compromise signal. Always wire Cost Anomaly Detection alerts into your security incident response runbooks alongside GuardDuty.
Cost Anomaly Detection setup
Cost Explorer for Forensics
After an alert fires, Cost Explorer is the forensic tool. Group by service, region, instance type, or tag to identify the exact resources driving the spike. Combine with aws ec2 describe-instances to capture instance metadata before isolation.
Well-Architected Tool for Architectural Compliance Audit Review
The AWS Well-Architected Tool turns the Well-Architected Framework's six pillars into a structured compliance audit questionnaire. For SCS-C02 you focus on the Security pillar.
Workload, Lens, Milestone Concepts
- Workload — the system you are reviewing (e.g., "customer-portal-prod").
- Lens — the pillar or domain framework (default = AWS Well-Architected, plus custom lenses you publish).
- Milestone — a named snapshot of answers, used to track improvement over time.
- Improvement plan — auto-generated remediation suggestions with links to AWS docs.
A typical compliance audit review cadence: workload review every quarter, milestone created at the end of each review, improvement plan items tracked as JIRA tickets.
Custom Lenses
You can publish a custom lens encoding internal compliance audit policies (e.g., "FunRaise Security Lens" with company-specific questions). Custom lenses appear alongside AWS lenses in the review UI. Share custom lenses across the AWS Organization.
Security Pillar Question Categories
The Security pillar covers seven design principles condensed into question groups: identity and access, detection, infrastructure protection, data protection (in transit and at rest), incident response, application security, and threat modeling. Each question maps to AWS service recommendations.
Architectural Review Compliance Audit Checklist
Putting compliance audit into practice during an architecture review means walking the checklist below before sign-off:
- Ingress — all public endpoints behind WAF, Shield Advanced for high-value assets, security groups least-privilege.
- Egress — VPC endpoints for AWS services, NAT-controlled internet egress, DNS Firewall blocking known-malicious domains.
- Identity — IAM roles, no long-lived access keys, IAM Access Analyzer enabled, IAM Identity Center for human access.
- Encryption — KMS CMKs (preferably customer-managed) for all data stores, TLS 1.2+ in transit, ACM for certificate lifecycle.
- Monitoring — CloudTrail org trail to a central account, Config aggregator, Security Hub central configuration, GuardDuty enabled in every region.
- IR readiness — runbooks, isolated forensic account, EC2 Image Builder for golden AMI rebuild, S3 Object Lock for evidence preservation.
- Attack surface — Trusted Advisor "unused" sweep monthly, IAM Access Analyzer findings closed, Network Access Analyzer findings reviewed.
Strategies to Reduce the Attack Surface (Task 6.4 Focus)
Reducing attack surface is its own compliance audit subdomain inside task 6.4. The exam tests these patterns repeatedly:
Least-Privilege IAM at Scale
- Use IAM Access Analyzer policy generation to write least-privilege policies based on observed CloudTrail activity over 90 days.
- Use IAM Access Analyzer external access findings to identify resources shared with accounts outside your AWS Organization.
- Use IAM Access Analyzer unused access (released 2023) to identify roles, users, and permissions that have not been used in 90 days.
Smaller Blast Radii
- One workload per AWS account where practical (Control Tower vending machine).
- SCPs at the OU level to forbid services not needed by the workload.
- VPC endpoint policies restricting which buckets, queues, and tables a VPC can reach.
- KMS key policies limiting which roles can decrypt.
Automate Patching and Hardening
- Systems Manager Patch Manager with maintenance windows.
- EC2 Image Builder pipelines producing hardened AMIs from CIS-benchmarked base images.
- Inspector continuous scanning to catch CVEs in EC2, ECR, and Lambda.
- Least-privilege IAM via Access Analyzer policy generation.
- Smaller blast radii via per-workload accounts + SCPs + VPC endpoint policies.
- Continuous CVE scanning via Inspector across EC2, ECR, Lambda.
- Automated patch cadence via SSM Patch Manager maintenance windows.
- Hardened golden images via EC2 Image Builder + CIS base. AWS Well-Architected Security Pillar
Compliance Audit Common Exam Traps
The compliance audit topic is full of look-alike answer choices. The traps below are the most common SCS-C02 distractors.
Trap: "Audit Manager will fix the issue"
Audit Manager only collects evidence. It does not remediate. Watch for answers that suggest Audit Manager will "automatically remediate" anything — they are wrong by definition.
Trap: "Macie scans the entire AWS environment"
Macie is S3-only. Any answer suggesting Macie scans EBS volumes, RDS databases, DynamoDB tables, or EFS file systems is wrong.
Trap: "Config rules block resource creation"
Config evaluates resources after they exist; it does not prevent creation. Preventive controls live in IAM policies, SCPs, and resource policies. If the question asks how to prevent a non-compliant resource, Config is the wrong answer; the answer is an SCP or permission boundary.
Trap: "Security Hub controls auto-remediate"
Security Hub generates findings; it does not remediate. Auto-remediation requires EventBridge → Lambda or EventBridge → Systems Manager Automation. Answers claiming Security Hub itself remediates are wrong.
Trap: "Trusted Advisor produces compliance audit reports"
Trusted Advisor outputs check status, not framework-aligned compliance audit reports. For PCI/HIPAA/FedRAMP evidence packages you need Audit Manager.
A conformance pack and a Security Hub standard can both bundle the same Config rules. The compliance audit difference: conformance packs are Config-native and produce a pack-level compliance score; Security Hub standards produce per-control findings in ASFF format consumable by Audit Manager and downstream automation. For SCS-C02, prefer the Security Hub standard answer when the scenario emphasizes central findings or multi-source aggregation, and prefer the conformance pack answer when the scenario emphasizes Config-native deployment or per-resource pack score. Conformance pack vs Security Hub
Compliance Audit vs Threat Detection — Choosing the Right Service
Compliance audit and threat detection share services (GuardDuty findings show up in Security Hub which feeds Audit Manager) but answer different questions.
| Question | Service category | Primary tool |
|---|---|---|
| Is this resource configured correctly? | Compliance audit | AWS Config |
| Did someone do something malicious? | Threat detection | GuardDuty + CloudTrail |
| Can I prove compliance to a regulator? | Compliance audit | Audit Manager |
| Where is sensitive data sitting? | Compliance audit (data) | Macie |
| Is there an active compromise? | Threat detection | GuardDuty + Detective |
| Is my architecture aligned with best practices? | Compliance audit (arch) | Well-Architected Tool |
The exam often disguises compliance audit questions as threat detection scenarios and vice versa. Read carefully for the verb: "evaluate", "audit", "assess" → compliance audit; "detect", "investigate", "respond" → threat detection.
Compliance Audit Reference Numbers to Memorize
- AWS Config managed rules count: 270+
- Audit Manager pre-built frameworks: 35+
- Macie managed data identifiers: 60+ sensitive categories
- Security Hub FSBP controls: ~280
- Security Hub CIS v3.0.0 controls: ~50
- Security Hub PCI DSS controls: ~40
- Trusted Advisor checks: ~115 (Business/Enterprise Support tier)
- Cost Anomaly Detection minimum learning period: ~10 days
- Audit Manager evidence retention: 2 years by default in S3
- Config rule evaluation cost: $0.001 per evaluation AWS Config pricing
Compliance Audit FAQ
How often does AWS Config evaluate resources for compliance audit?
Config evaluates resources on configuration change (event-driven, near real-time) and on a periodic schedule (24 hours, 12, 6, 3, or 1 hour) depending on rule trigger configuration. For continuous compliance audit, choose configuration-change triggers wherever the rule supports them; for time-based audits like password policy compliance, periodic 24-hour is standard. See the Config rule trigger types.
Can Audit Manager replace AWS Config for compliance audit?
No. Audit Manager consumes Config evidence; it does not replace Config. Without Config, Audit Manager's "configuration data" evidence category is empty, and assessments fail to populate. The compliance audit pattern is always: Config records state, Audit Manager packages evidence. Audit Manager also pulls from CloudTrail, Security Hub, and resource APIs, but Config is the largest single source for configuration controls.
Should I enable every Security Hub standard for the strongest compliance audit?
Only enable standards that match the regulatory frameworks you must comply with, plus AWS Foundational Best Practices (FSBP) as the baseline. Enabling all four standards in every account triggers control overlap and inflates noise. Compliance audit signal-to-noise improves when standards align with actual obligations. Use central configuration to apply different standard combinations per OU (e.g., PCI standard only on the cardholder-data OU).
How does Macie price scale for compliance audit at petabyte scale?
Macie pricing has two components: bucket evaluation (per bucket per month, automated discovery layer) and object inspection (per GB scanned). At petabyte scale, automated sensitive data discovery (statistical sampling) keeps costs predictable; full discovery jobs over a petabyte are expensive. Best practice: run automated discovery continuously, then trigger discovery jobs only on buckets where automated discovery flags high sensitivity scores. See the Macie pricing page for current rates.
What evidence does Audit Manager produce for an external auditor?
Audit Manager generates an assessment report as a downloadable ZIP containing: per-control evidence files (Config configuration items, CloudTrail events, Security Hub findings, manual uploads), a control-set summary mapping evidence to framework controls, and a digest hash for tamper evidence. Auditors typically receive the ZIP plus access to the Audit Manager console for live navigation. The format aligns with most compliance audit framework expectations (PCI ROC, HIPAA risk assessment, FedRAMP SAR).
Can I run a compliance audit without AWS Organizations?
Yes, but it is harder. Standalone-account compliance audit works (Config, Audit Manager, Security Hub all support single-account mode), but cross-account aggregation requires either an AWS Organization or per-account configuration plus manual aggregation. The SCS-C02 exam strongly favors the Organizations-based pattern because it aligns with the AWS Security Reference Architecture (SRA) and Control Tower landing zone.
How do I detect compliance audit drift in a custom Config rule?
Custom Config rules using Lambda evaluate every CI delivered. To detect drift specifically (i.e., a resource that was compliant yesterday but is not today), use the Config rule's compliance change event in EventBridge. The event fires on every transition between COMPLIANT and NON_COMPLIANT. Wire it to SNS for alerting or to a Lambda that opens a ticket. For Custom Policy rules in Guard DSL, the same EventBridge event applies.
Does Cost Anomaly Detection replace GuardDuty for compromise detection?
No. They are complementary compliance audit and threat-detection signals. GuardDuty detects malicious behavior (DNS queries, API calls, port scans). Cost Anomaly Detection detects malicious economic impact (resource spend deviation). A sophisticated attacker who scales EC2 instances slowly may evade GuardDuty's per-instance detection but trip Cost Anomaly Detection's monthly baseline. Use both, and correlate alerts in Security Hub.
Compliance Audit Summary
The SCS-C02 compliance audit story is a chain: AWS Config records state, conformance packs codify rule sets, Security Hub aggregates findings across services, Audit Manager produces regulator-ready evidence, Macie classifies sensitive data, Trusted Advisor catches lightweight misconfigurations, Cost Anomaly Detection adds economic compromise signals, and the Well-Architected Tool drives architectural review. Master which compliance audit service produces which compliance audit artifact and the Domain 6 questions become elimination exercises.
For continued study, work through these related topics: Security Hub central findings architecture, GuardDuty threat detection, Organizations and SCP governance, CloudTrail organization trail design, and Control Tower landing zone. The compliance audit knowledge above is reinforced across all of them.
External primary sources: AWS Config Developer Guide, AWS Audit Manager User Guide, Amazon Macie User Guide, AWS Security Hub User Guide, AWS Well-Architected Security Pillar. Read the official compliance audit guidance once end-to-end before exam day.