AWS Certified Cloud Practitioner (CLF-C02) #5 Domain 2-2 Compliance — Governance, AWS Artifact, GDPR/HIPAA

9 min read

#4 anchored the shared responsibility model and IAM basics. This post is the second half of Domain 2 — compliance certifications, governance and audit tools, security operations tools, and data encryption.

The vocabulary in this area is heavy, so it can feel daunting, but the exam patterns are formulaic. Memorizing which kind of question each tool answers as a pair is enough.

AWS compliance certifications #

AWS holds certifications under a wide range of global compliance standards. The existence of a certification is itself evidence that AWS meets the control items of that standard.

Certifications that show up often #

CertificationMeaningWhich workloads
SOC 1 / 2 / 3Audit of accounting and operational controls (US AICPA)General enterprise audit material
ISO 27001 / 27017 / 27018Information security management systems (international standard)General security certification
PCI DSSCredit card payment information handlingPayment systems
HIPAAUS healthcare information protectionHealthcare data
GDPREU personal data protection regulationEU user data
FedRAMPUS federal government cloud standardUS government workloads
FISMAUS Federal Information Security Management ActUS federal agencies
ITARUS defense and space-related dataDefense and space workloads (GovCloud)

Two compliance points people get wrong #

1) The trap of “AWS is certified, so my workload is automatically compliant”

This is the same context as the shared responsibility model. AWS is certified at the infrastructure level, but the customer workload that runs on top still has to meet the requirements of that standard separately.

Example: HIPAA — AWS provides a list of HIPAA Eligible Services, but if you run an app that handles healthcare data on top of those services, the customer also has to sign a BAA (Business Associate Addendum) and apply the appropriate security controls.

2) GDPR and data sovereignty

GDPR applies to any organization that handles personal data of EU citizens. If a Korean company serves EU users, it falls under GDPR. AWS provides the tools needed for GDPR compliance (DPA, region selection, encryption), but the decision to keep data in an EU region (e.g., eu-west-1) is the customer’s responsibility.

AWS Artifact #

A self-service portal for downloading AWS compliance reports and agreements. It’s free.

FeatureDescription
ReportsDownload certification reports such as SOC, ISO, and PCI
AgreementsSign agreements like BAA (for HIPAA) and DPA (for GDPR)

Exam patterns #

“Where do I get AWS’s SOC 2 audit report?” → AWS Artifact.

“How do I sign a BAA with AWS for HIPAA compliance?” → Sign the BAA in AWS Artifact.

What Artifact does not cover #

Artifact only provides AWS’s own certification documents. Compliance checks on the customer’s own workload are done with separate tools (Audit Manager, etc.).

Governance and audit tools #

AWS CloudTrail — API call audit log #

Records who called which API, and when.

AttributeValue
Default enablementThe last 90 days of event history are viewable in the console by default
Permanent retentionSet up a separate trail that stores events in an S3 bucket
Global vs. regionalGlobal services (IAM, STS) are global; regional services are recorded per region
IntegrationSend to CloudWatch Logs for alarms

CloudTrail scenarios on the exam:

  • “Track who changed the ACL on an S3 bucket last week” → CloudTrail
  • “Audit who created which resources after a security incident” → CloudTrail

AWS Config — Resource configuration change tracking #

Records how the configuration of a resource has changed over time.

AttributeValue
Tracking unitThe configuration (settings) of each AWS resource and its change history
Rule evaluationAutomatic evaluation against rules like “S3 buckets must have public access blocked”
Non-compliant resource identificationResources that violate Config Rules are automatically flagged

How not to confuse CloudTrail with Config:

  • CloudTrailwho called what (an action log)
  • Config — the current state and change history of resources

On the exam: “Automatically verify that an S3 bucket always has public access blocked” → AWS Config.

“Find who modified a security group” → CloudTrail.

AWS Organizations and SCP #

A service for grouping and managing multiple accounts.

FeatureDescription
Consolidated BillingCombine billing across multiple accounts
OU (Organizational Unit)Bundle accounts into a tree structure
SCP (Service Control Policy)Set a permission ceiling on an OU or account

How SCPs work: If you attach an SCP that says “EC2 cannot be created” to an OU, every account inside that OU is actually unable to create EC2, even if their IAM permissions allow it. SCPs operate as a ceiling (guardrail).

On the exam:

  • “View billing for multiple accounts in one place?” → AWS Organizations (Consolidated Billing)
  • “Block developer accounts from using a specific region?” → SCP

AWS Control Tower #

A governance automation service that sits on top of Organizations. It automates the setup of multi-account environments and enforces best practices.

It rarely appears as the answer, but it shows up among choices in questions like “How do I quickly set up a landing zone?”

Security operations tools #

Amazon GuardDuty — Threat detection #

A service that analyzes CloudTrail, VPC Flow Logs, and DNS Logs to automatically detect malicious activity.

  • Suspicious API calls (e.g., a root login from an unusual location)
  • Communication with known malicious IPs
  • Patterns like cryptocurrency mining

No separate agent installation required. Just turn it on.

Amazon Inspector — Vulnerability scanning #

Scans EC2 instances, container images, and Lambda functions for known security vulnerabilities (CVEs).

  • “Does this EC2’s OS have unpatched vulnerabilities?”
  • “Does this container image have known CVEs?”

Amazon Macie — Sensitive data identification #

Identifies sensitive information (PII, credit card numbers, healthcare information, and so on) in data stored in S3.

  • Automatically classifies sensitive data using machine learning
  • Detects accidental exposure (e.g., whether PII sits in a public bucket)

AWS Security Hub — Unified security dashboard #

Aggregates findings from multiple security services like GuardDuty, Inspector, and Macie into a single dashboard.

AWS Shield — DDoS protection #

TierDescription
Shield StandardIncluded by default, free. Standard L3/L4 DDoS protection
Shield AdvancedPaid ($3,000/month). More sophisticated protection + a DDoS response team

AWS WAF — Web application firewall #

Filters HTTP/HTTPS requests according to rules. Defends against L7 attacks like SQL Injection and XSS.

Telling the security tools apart #

When these tools all appear in answer choices, split them with the following criteria:

“What do I want to know?”Tool
Detect suspicious activityGuardDuty
Scan OS / app vulnerabilitiesInspector
Automatic classification of sensitive data in S3Macie
Aggregate multiple security findingsSecurity Hub
DDoS protectionShield
Web attack defense (SQL Injection, etc.)WAF
API call audit logCloudTrail
Resource configuration change historyConfig

Data encryption #

Where the two kinds of encryption sit #

TypeMeaningExamples
Encryption at restEncryption while storedS3 object encryption, EBS volume encryption
Encryption in transitEncryption during transmissionHTTPS/TLS, VPN

Most AWS services support both.

AWS KMS (Key Management Service) #

A central service for managing encryption keys.

AttributeValue
Key typesAWS managed key / Customer managed key / AWS owned key
IntegrationMore than 70 services including S3, EBS, RDS, and DynamoDB integrate with KMS
RotationCustomer managed keys can be set to rotate automatically (once a year)
AuditKey usage is logged to CloudTrail

KMS scenarios on the exam:

  • “How do I encrypt S3 objects?” → SSE-KMS (S3 Server-Side Encryption with KMS)
  • “How do I encrypt an EBS volume?” → Use a KMS key
  • “How do I automate encryption key rotation?” → Enable KMS automatic rotation

AWS CloudHSM #

A service that provides a dedicated hardware security module (HSM). Compared with KMS:

ItemKMSCloudHSM
ManagementAWS-managedDedicated HSM used solely by the customer
CertificationFIPS 140-2 Level 3FIPS 140-2 Level 3
Use caseGeneral encryption for all workloadsStrong regulation (PCI DSS Level 1, finance, etc.)
Cost$1/key/month + usage calls$1.6/hour

KMS is sufficient for most cases. CloudHSM is for the special case where “a dedicated HSM is a regulatory requirement”.

AWS Secrets Manager vs. Parameter Store #

Two services for handling secret credentials.

ItemSecrets ManagerSystems Manager Parameter Store
Automatic rotationSupported (RDS, Redshift, etc.)Not supported
Pricing$0.40/secret/month + API callsStandard parameters are free
Use caseAutomatic rotation of DB passwordsGeneral config values and secrets

Security scenario-to-answer mapping #

A summary of common exam scenarios and their answers.

ScenarioAnswer
I want suspicious activity detected automaticallyGuardDuty
I want sensitive data in S3 classified automaticallyMacie
I want to scan OS vulnerabilities on EC2 instancesInspector
I want to track who called which APICloudTrail
Automatically verify that an S3 bucket always has public access blockedConfig
Combined billing for multiple accountsOrganizations (Consolidated Billing)
Block a specific OU from using a specific regionSCP
Download the SOC 2 audit reportArtifact
Sign the HIPAA BAAArtifact
DDoS protection (baseline)Shield Standard
Web attack defense (SQL Injection, XSS)WAF
Encryption key managementKMS
Dedicated HSM required (strong regulation)CloudHSM
Automatic rotation of DB passwordsSecrets Manager

Common traps #

1) “AWS is certified, so my workload is automatically compliant” #

A trap. The certification is only at the infrastructure level; the customer workload has to be brought into compliance separately.

2) Confusing CloudTrail and Config #

  • CloudTrail = who made the call
  • Config = what state the resource is in

3) Applying separately for Shield Standard #

Shield Standard is included by default and free. You don’t apply for it separately.

4) Confusing GuardDuty and Inspector #

  • GuardDuty = activity detection (suspicious API calls, traffic)
  • Inspector = vulnerability scanning (CVEs in OS and apps)

5) Treating Macie as a general data classification tool #

Macie is a sensitive data classification tool scoped to S3 only. It does not apply to other data stores like RDS or DynamoDB.

6) Picking KMS vs. CloudHSM based on cost #

The reason KMS isn’t enough is a regulatory requirement. Cost is secondary.

7) Thinking AWS Artifact checks your workload #

Artifact provides AWS’s own certification documents. Customer workload checks go through other tools like Audit Manager.

Wrap-up #

What this post locked in:

  • Compliance certifications — SOC / ISO / PCI DSS / HIPAA / GDPR / FedRAMP / FISMA / ITAR
  • What certifications mean — control items at the AWS infrastructure level. Customer workloads are separate
  • AWS Artifact — Download certification reports and agreements (BAA, DPA)
  • Governance and audit tools — CloudTrail (API calls) / Config (resource configuration) / Organizations (account grouping) / SCP (guardrails)
  • Security operations tools — GuardDuty (threats) / Inspector (vulnerabilities) / Macie (sensitive data) / Security Hub (aggregation) / Shield (DDoS) / WAF (web)
  • Data encryption — At rest and in transit. KMS is the standard; only strong regulation calls for CloudHSM
  • Secrets Manager handles automatic rotation; Parameter Store covers general config
  • Traps — scope of certifications / CloudTrail-vs-Config confusion / applying separately for Shield Standard / GuardDuty-vs-Inspector confusion / Macie being S3-only / the limits of Artifact

Next — Domain 3 core services #

Domain 2 is done. Next up is the Domain 3 — Cloud Technology and Services (34%), which has the widest surface area on the exam.

#6 Domain 3-1 Core Services — Compute and Storage walks through compute (EC2, Lambda, ECS, Fargate, Elastic Beanstalk, Lightsail) and storage (S3 storage classes, EBS, EFS, FSx, Storage Gateway, Glacier). The volume is large, but it compresses down to a workload → service mapping.

X