DEV Community

Cover image for Understand AWS Cloud Security, Governance, and Compliance Concepts
AWS Community Builders profile image Ntombizakhona Mabaso
Ntombizakhona Mabaso Subscriber for AWS Community Builders

Posted on

Understand AWS Cloud Security, Governance, and Compliance Concepts

#aws #cloud #cloudcomputing #cloudpractitioner

🛡️Exam Guide: Cloud Practitioner
Domain 2: Security & Compliance
📘Task Statement 2.2

🎯What Is This Task Testing?

You need to understand how AWS and customers address:

  • Compliance & governance concepts (where to find compliance info, how requirements vary)
  • Cloud security benefits (especially encryption)
  • Security logging (where logs are captured and stored)
  • Key security, governance, and compliance services and what they do

1) 🏛️ AWS Compliance & Governance Concepts

Governance: policies, controls, and oversight to ensure AWS use aligns with business goals and risk tolerance.

Compliance: meeting legal/regulatory/industry requirements (e.g., POPIA, HIPAA, PCI DSS, GDPR).

AWS provides a compliant cloud foundation, but you must configure and use services in a compliant way (shared responsibility).

2) 🗂️ Where to Find AWS Compliance Information

AWS Artifact

AWS Artifact is the go-to place for on-demand compliance reports and agreements, such as:

  • SOC reports
  • ISO reports
  • other audit documentation

“Where do you download AWS compliance reports?” → AWS Artifact.

AWS Compliance

For understanding which programs AWS supports and general compliance guidance (across Regions/industries), use AWS Compliance resources.

“Where do you learn about AWS compliance programs by industry/region?” → AWS Compliance.

3) 🌍 Compliance Needs Vary by Geography and Industry

Compliance requirements commonly differ by:

  • country/region data laws: data residency, privacy rules
  • industry regulations: healthcare, finance, government
  • service eligibility: not every AWS service is approved/eligible for every framework

Some frameworks require controls like encryption, logging, retention, and access auditing.

Some programs (e.g., HIPAA) have eligible services lists, so compliance can depend on which AWS services you choose.

4) 🔐 How Customers Secure Resources on AWS

Know the purpose of these services:

  • Amazon GuardDuty: threat detection using signals like CloudTrail events, VPC Flow Logs, and DNS logs.
  • AWS Security Hub: central “security posture” view; aggregates findings from multiple AWS services/tools.
  • Amazon Inspector: automated vulnerability management (e.g., scanning for software vulnerabilities and exposure on supported resources).
  • AWS Shield: DDoS protection (especially relevant for internet-facing apps).

5) 🔒 Encryption

Encryption in transit

Protects data while moving across networks.

  • Typically uses TLS/HTTPS
  • Keywords: “client-to-server encryption,” “secure communication channel”

Encryption at rest

Protects stored data (e.g., on disks, in databases, in object storage).

  • Often integrated with AWS services and key management options
  • Keywords: “stored data encryption,” “disk/database/object encryption”

If the question or scenario says “protect data moving between client and AWS,” choose encryption in transit. If it says “stored in S3/EBS/database,” choose encryption at rest.

6) 🧾 Where to Capture and Locate Security Logs

Security and compliance rely heavily on logging. Know what each log type records and where it typically ends up.

Core logging services and locations

  • AWS CloudTrail: records account activity and API calls (who did what, when, from where).
    • Can be delivered to Amazon S3 (long-term storage) and/or CloudWatch Logs (alerting/near-real-time monitoring).
  • Amazon CloudWatch: operational monitoring (metrics, alarms) and CloudWatch Logs for centralized log storage/analysis.
  • AWS Config: records resource configuration changes and evaluates configuration against rules (useful for compliance drift).
  • Other Common Logs
    • VPC Flow Logs: network flow metadata (accepted/rejected traffic) sent to CloudWatch Logs or S3.
    • Load balancer access logs / S3 access logs: service-level access logging stored in S3.

“Audit API activity”CloudTrail.

“Monitor and alert on logs/metrics”CloudWatch.

“Track configuration history and drift”AWS Config.

7) 🧩 Governance and Compliance Services

Recognize which tools align to monitoring, auditing, and reporting:

  • Monitoring: Amazon CloudWatch
  • Auditing: AWS CloudTrail, AWS Config, AWS Audit Manager
  • Reporting / access reports: common IAM reporting tools such as IAM credential reports and access-related reports (used to review access and support governance)

AWS Audit Manager

Helps continuously gather evidence and map it to common compliance frameworks, reducing manual audit effort.

✅ Quick Exam-Style Summary

  • AWS Artifact: download compliance reports and agreements.
  • AWS Compliance resources: learn about programs by industry/region.
  • Encryption: in transit (TLS) vs at rest (stored data).
  • Logging: CloudTrail (API audit) + CloudWatch (monitor/alerts/logs) + Config (configuration history/compliance drift).
  • Security services: GuardDuty _(threat detection), Inspector (vuln management), Security Hub (posture + findings aggregation), Shield (DDoS protection).
  • Compliance can vary by Region, industry, and service eligibility.

Additional Resources

  1. Compliance Resources
  2. What Is AWS CloudTrail?
  3. AWS Artifact - security compliance management
  4. AWS Security Hub - cloud security posture management
  5. AWS Compliance Programs

Top comments (0)