Compliance & Auditing
Artifact, CloudTrail, Config, and Audit Manager — proving to auditors (and yourself) that your cloud is compliant.
AWS complies with dozens of programs — SOC, ISO 27001, PCI DSS, HIPAA, GDPR, FedRAMP — but remember the shared responsibility model: AWS's compliance certifications cover their infrastructure; you must still configure your workloads compliantly. Compliance requirements vary by industry and by service, so always check per-service.
The audit toolbox
Self-service portal to download AWS's compliance reports (SOC, PCI, ISO) and agreements — the answer whenever auditors ask for AWS's certifications.
Records every API call in your account: who did what, when, from where. The audit log and traceability backbone.
Tracks resource configurations over time and evaluates them against rules (e.g., 'all EBS volumes must be encrypted'). Answers 'what changed, and is it compliant?'
Continuously collects evidence and maps it to frameworks to automate audit preparation.
Automated checks across cost, performance, security, fault tolerance, and service limits — flags things like open security groups and missing MFA.
Classic distinctions: CloudTrail = who did what (API history). CloudWatch = how resources are performing (metrics/logs). Config = how resources are configured and whether that's compliant. Artifact = download AWS's own compliance documents. These four are endlessly cross-tested.
Data privacy basics
Key points
- You retain ownership and control of your data — AWS doesn't access or use it except to provide services.
- Data stays in the Region you put it in unless you move or replicate it.
- Encryption, retention, and deletion policies are customer-controlled.
- For sensitive workloads, combine encryption (KMS), access control (IAM), logging (CloudTrail), and data discovery (Macie).
An auditor requests AWS's SOC 2 report. Where can the company obtain it?