Compliance & Auditing

Artifact, CloudTrail, Config, and Audit Manager — proving to auditors (and yourself) that your cloud is compliant.

8 min read

AWS complies with dozens of programs — SOC, ISO 27001, PCI DSS, HIPAA, GDPR, FedRAMP — but remember the shared responsibility model: AWS's compliance certifications cover their infrastructure; you must still configure your workloads compliantly. Compliance requirements vary by industry and by service, so always check per-service.

The audit toolbox

AWS Artifact

Self-service portal to download AWS's compliance reports (SOC, PCI, ISO) and agreements — the answer whenever auditors ask for AWS's certifications.

AWS CloudTrail

Records every API call in your account: who did what, when, from where. The audit log and traceability backbone.

AWS Config

Tracks resource configurations over time and evaluates them against rules (e.g., 'all EBS volumes must be encrypted'). Answers 'what changed, and is it compliant?'

AWS Audit Manager

Continuously collects evidence and maps it to frameworks to automate audit preparation.

AWS Trusted Advisor

Automated checks across cost, performance, security, fault tolerance, and service limits — flags things like open security groups and missing MFA.

Exam tip

Classic distinctions: CloudTrail = who did what (API history). CloudWatch = how resources are performing (metrics/logs). Config = how resources are configured and whether that's compliant. Artifact = download AWS's own compliance documents. These four are endlessly cross-tested.

Data privacy basics

Key points

  • You retain ownership and control of your data — AWS doesn't access or use it except to provide services.
  • Data stays in the Region you put it in unless you move or replicate it.
  • Encryption, retention, and deletion policies are customer-controlled.
  • For sensitive workloads, combine encryption (KMS), access control (IAM), logging (CloudTrail), and data discovery (Macie).
Knowledge check
Question 1 of 4

An auditor requests AWS's SOC 2 report. Where can the company obtain it?