Understand AWS Cloud Security, Governance, and Compliance Concepts
Published: (January 2, 2026 at 02:54 AM EST)
3 min read
Source: Dev.to
Source: Dev.to
Exam Guide: Cloud Practitioner – Domain 2: Security & Compliance (Task 2.2)
Governance & Compliance Overview
- Governance – Policies, controls, and oversight to ensure AWS usage aligns with business goals and risk tolerance.
- Compliance – Meeting legal, regulatory, and industry requirements (e.g., POPIA, HIPAA, PCI DSS, GDPR).
AWS provides a compliant cloud foundation, but you must configure and use services in a compliant way (shared‑responsibility model).
Where to Find Compliance Information
- AWS Artifact – On‑demand compliance reports and agreements (SOC reports, ISO reports, other audit documentation).
Question: “Where do you download AWS compliance reports?” → AWS Artifact. - AWS Compliance Resources – Guidance on AWS compliance programs by industry and region.
Question: “Where do you learn about AWS compliance programs by industry/region?” → AWS Compliance.
Factors Influencing Compliance Requirements
- Country/region data laws – Data residency, privacy rules.
- Industry regulations – Healthcare, finance, government, etc.
- Service eligibility – Not every AWS service is approved for every framework; some frameworks (e.g., HIPAA) have eligible‑service lists.
Key Security, Governance, and Compliance Services
| Service | Primary Function |
|---|---|
| Amazon GuardDuty | Threat detection using CloudTrail events, VPC Flow Logs, and DNS logs. |
| AWS Security Hub | Central security‑posture view; aggregates findings from multiple AWS services/tools. |
| Amazon Inspector | Automated vulnerability management (scans for software vulnerabilities and exposures on supported resources). |
| AWS Shield | DDoS protection for internet‑facing applications. |
| AWS Config | Records resource‑configuration changes; evaluates configurations against rules (useful for compliance drift). |
| AWS Audit Manager | Continuously gathers evidence and maps it to common compliance frameworks, reducing manual audit effort. |
| IAM Credential Reports & Access‑Related Reports | Review access and support governance. |
Encryption
- Encryption in transit – Protects data moving across networks (typically TLS/HTTPS). Keywords: “client‑to‑server encryption,” “secure communication channel.”
- Encryption at rest – Protects stored data (disks, databases, object storage). Integrated with AWS services and key‑management options. Keywords: “stored data encryption,” “disk/database/object encryption.”
Guideline:
- If a scenario mentions protecting data between client and AWS, choose encryption in transit.
- If it mentions protecting data stored in S3/EBS/database, choose encryption at rest.
Logging & Monitoring
- AWS CloudTrail – Records account activity and API calls (who did what, when, from where). Delivered to Amazon S3 (long‑term) and/or CloudWatch Logs (near‑real‑time monitoring).
- Amazon CloudWatch – Operational monitoring (metrics, alarms) and centralized log storage/analysis via CloudWatch Logs.
- VPC Flow Logs – Network‑flow metadata (accepted/rejected traffic) sent to CloudWatch Logs or S3.
- Load Balancer & S3 Access Logs – Service‑level access logs stored in S3.
Typical mappings
- “Audit API activity” → CloudTrail
- “Monitor and alert on logs/metrics” → CloudWatch
- “Track configuration history and drift” → AWS Config
Reporting & Access Reports
IAM credential reports and other access‑related reports help review permissions and support governance.
Summary Cheat‑Sheet
- Encryption: Transit (TLS) vs. At‑rest (storage).
- Logging: CloudTrail (API audit) + CloudWatch (monitor/alerts/logs) + Config (configuration history/compliance drift).
- Security services: GuardDuty (threat detection), Inspector (vulnerability management), Security Hub (posture & findings aggregation), Shield (DDoS protection).
- Compliance resources: AWS Artifact (download reports) + AWS Compliance (program guidance).