AWS Certified Cloud Practitioner (CLF-C02) #5 Domain 2-2 Compliance — Governance, AWS Artifact, GDPR/HIPAA
#4 anchored the shared responsibility model and IAM basics. This post is the second half of Domain 2 — compliance certifications, governance and audit tools, security operations tools, and data encryption.
The vocabulary in this area is heavy, so it can feel daunting, but the exam patterns are formulaic. Memorizing which kind of question each tool answers as a pair is enough.
AWS compliance certifications #
AWS holds certifications under a wide range of global compliance standards. The existence of a certification is itself evidence that AWS meets the control items of that standard.
Certifications that show up often #
| Certification | Meaning | Which workloads |
|---|---|---|
| SOC 1 / 2 / 3 | Audit of accounting and operational controls (US AICPA) | General enterprise audit material |
| ISO 27001 / 27017 / 27018 | Information security management systems (international standard) | General security certification |
| PCI DSS | Credit card payment information handling | Payment systems |
| HIPAA | US healthcare information protection | Healthcare data |
| GDPR | EU personal data protection regulation | EU user data |
| FedRAMP | US federal government cloud standard | US government workloads |
| FISMA | US Federal Information Security Management Act | US federal agencies |
| ITAR | US defense and space-related data | Defense and space workloads (GovCloud) |
Two compliance points people get wrong #
1) The trap of “AWS is certified, so my workload is automatically compliant”
This is the same context as the shared responsibility model. AWS is certified at the infrastructure level, but the customer workload that runs on top still has to meet the requirements of that standard separately.
Example: HIPAA — AWS provides a list of HIPAA Eligible Services, but if you run an app that handles healthcare data on top of those services, the customer also has to sign a BAA (Business Associate Addendum) and apply the appropriate security controls.
2) GDPR and data sovereignty
GDPR applies to any organization that handles personal data of EU citizens. If a Korean company serves EU users, it falls under GDPR. AWS provides the tools needed for GDPR compliance (DPA, region selection, encryption), but the decision to keep data in an EU region (e.g., eu-west-1) is the customer’s responsibility.
AWS Artifact #
A self-service portal for downloading AWS compliance reports and agreements. It’s free.
| Feature | Description |
|---|---|
| Reports | Download certification reports such as SOC, ISO, and PCI |
| Agreements | Sign agreements like BAA (for HIPAA) and DPA (for GDPR) |
Exam patterns #
“Where do I get AWS’s SOC 2 audit report?” → AWS Artifact.
“How do I sign a BAA with AWS for HIPAA compliance?” → Sign the BAA in AWS Artifact.
What Artifact does not cover #
Artifact only provides AWS’s own certification documents. Compliance checks on the customer’s own workload are done with separate tools (Audit Manager, etc.).
Governance and audit tools #
AWS CloudTrail — API call audit log #
Records who called which API, and when.
| Attribute | Value |
|---|---|
| Default enablement | The last 90 days of event history are viewable in the console by default |
| Permanent retention | Set up a separate trail that stores events in an S3 bucket |
| Global vs. regional | Global services (IAM, STS) are global; regional services are recorded per region |
| Integration | Send to CloudWatch Logs for alarms |
CloudTrail scenarios on the exam:
- “Track who changed the ACL on an S3 bucket last week” → CloudTrail
- “Audit who created which resources after a security incident” → CloudTrail
AWS Config — Resource configuration change tracking #
Records how the configuration of a resource has changed over time.
| Attribute | Value |
|---|---|
| Tracking unit | The configuration (settings) of each AWS resource and its change history |
| Rule evaluation | Automatic evaluation against rules like “S3 buckets must have public access blocked” |
| Non-compliant resource identification | Resources that violate Config Rules are automatically flagged |
How not to confuse CloudTrail with Config:
- CloudTrail — who called what (an action log)
- Config — the current state and change history of resources
On the exam: “Automatically verify that an S3 bucket always has public access blocked” → AWS Config.
“Find who modified a security group” → CloudTrail.
AWS Organizations and SCP #
A service for grouping and managing multiple accounts.
| Feature | Description |
|---|---|
| Consolidated Billing | Combine billing across multiple accounts |
| OU (Organizational Unit) | Bundle accounts into a tree structure |
| SCP (Service Control Policy) | Set a permission ceiling on an OU or account |
How SCPs work: If you attach an SCP that says “EC2 cannot be created” to an OU, every account inside that OU is actually unable to create EC2, even if their IAM permissions allow it. SCPs operate as a ceiling (guardrail).
On the exam:
- “View billing for multiple accounts in one place?” → AWS Organizations (Consolidated Billing)
- “Block developer accounts from using a specific region?” → SCP
AWS Control Tower #
A governance automation service that sits on top of Organizations. It automates the setup of multi-account environments and enforces best practices.
It rarely appears as the answer, but it shows up among choices in questions like “How do I quickly set up a landing zone?”
Security operations tools #
Amazon GuardDuty — Threat detection #
A service that analyzes CloudTrail, VPC Flow Logs, and DNS Logs to automatically detect malicious activity.
- Suspicious API calls (e.g., a root login from an unusual location)
- Communication with known malicious IPs
- Patterns like cryptocurrency mining
No separate agent installation required. Just turn it on.
Amazon Inspector — Vulnerability scanning #
Scans EC2 instances, container images, and Lambda functions for known security vulnerabilities (CVEs).
- “Does this EC2’s OS have unpatched vulnerabilities?”
- “Does this container image have known CVEs?”
Amazon Macie — Sensitive data identification #
Identifies sensitive information (PII, credit card numbers, healthcare information, and so on) in data stored in S3.
- Automatically classifies sensitive data using machine learning
- Detects accidental exposure (e.g., whether PII sits in a public bucket)
AWS Security Hub — Unified security dashboard #
Aggregates findings from multiple security services like GuardDuty, Inspector, and Macie into a single dashboard.
AWS Shield — DDoS protection #
| Tier | Description |
|---|---|
| Shield Standard | Included by default, free. Standard L3/L4 DDoS protection |
| Shield Advanced | Paid ($3,000/month). More sophisticated protection + a DDoS response team |
AWS WAF — Web application firewall #
Filters HTTP/HTTPS requests according to rules. Defends against L7 attacks like SQL Injection and XSS.
Telling the security tools apart #
When these tools all appear in answer choices, split them with the following criteria:
| “What do I want to know?” | Tool |
|---|---|
| Detect suspicious activity | GuardDuty |
| Scan OS / app vulnerabilities | Inspector |
| Automatic classification of sensitive data in S3 | Macie |
| Aggregate multiple security findings | Security Hub |
| DDoS protection | Shield |
| Web attack defense (SQL Injection, etc.) | WAF |
| API call audit log | CloudTrail |
| Resource configuration change history | Config |
Data encryption #
Where the two kinds of encryption sit #
| Type | Meaning | Examples |
|---|---|---|
| Encryption at rest | Encryption while stored | S3 object encryption, EBS volume encryption |
| Encryption in transit | Encryption during transmission | HTTPS/TLS, VPN |
Most AWS services support both.
AWS KMS (Key Management Service) #
A central service for managing encryption keys.
| Attribute | Value |
|---|---|
| Key types | AWS managed key / Customer managed key / AWS owned key |
| Integration | More than 70 services including S3, EBS, RDS, and DynamoDB integrate with KMS |
| Rotation | Customer managed keys can be set to rotate automatically (once a year) |
| Audit | Key usage is logged to CloudTrail |
KMS scenarios on the exam:
- “How do I encrypt S3 objects?” → SSE-KMS (S3 Server-Side Encryption with KMS)
- “How do I encrypt an EBS volume?” → Use a KMS key
- “How do I automate encryption key rotation?” → Enable KMS automatic rotation
AWS CloudHSM #
A service that provides a dedicated hardware security module (HSM). Compared with KMS:
| Item | KMS | CloudHSM |
|---|---|---|
| Management | AWS-managed | Dedicated HSM used solely by the customer |
| Certification | FIPS 140-2 Level 3 | FIPS 140-2 Level 3 |
| Use case | General encryption for all workloads | Strong regulation (PCI DSS Level 1, finance, etc.) |
| Cost | $1/key/month + usage calls | $1.6/hour |
KMS is sufficient for most cases. CloudHSM is for the special case where “a dedicated HSM is a regulatory requirement”.
AWS Secrets Manager vs. Parameter Store #
Two services for handling secret credentials.
| Item | Secrets Manager | Systems Manager Parameter Store |
|---|---|---|
| Automatic rotation | Supported (RDS, Redshift, etc.) | Not supported |
| Pricing | $0.40/secret/month + API calls | Standard parameters are free |
| Use case | Automatic rotation of DB passwords | General config values and secrets |
Security scenario-to-answer mapping #
A summary of common exam scenarios and their answers.
| Scenario | Answer |
|---|---|
| I want suspicious activity detected automatically | GuardDuty |
| I want sensitive data in S3 classified automatically | Macie |
| I want to scan OS vulnerabilities on EC2 instances | Inspector |
| I want to track who called which API | CloudTrail |
| Automatically verify that an S3 bucket always has public access blocked | Config |
| Combined billing for multiple accounts | Organizations (Consolidated Billing) |
| Block a specific OU from using a specific region | SCP |
| Download the SOC 2 audit report | Artifact |
| Sign the HIPAA BAA | Artifact |
| DDoS protection (baseline) | Shield Standard |
| Web attack defense (SQL Injection, XSS) | WAF |
| Encryption key management | KMS |
| Dedicated HSM required (strong regulation) | CloudHSM |
| Automatic rotation of DB passwords | Secrets Manager |
Common traps #
1) “AWS is certified, so my workload is automatically compliant” #
A trap. The certification is only at the infrastructure level; the customer workload has to be brought into compliance separately.
2) Confusing CloudTrail and Config #
- CloudTrail = who made the call
- Config = what state the resource is in
3) Applying separately for Shield Standard #
Shield Standard is included by default and free. You don’t apply for it separately.
4) Confusing GuardDuty and Inspector #
- GuardDuty = activity detection (suspicious API calls, traffic)
- Inspector = vulnerability scanning (CVEs in OS and apps)
5) Treating Macie as a general data classification tool #
Macie is a sensitive data classification tool scoped to S3 only. It does not apply to other data stores like RDS or DynamoDB.
6) Picking KMS vs. CloudHSM based on cost #
The reason KMS isn’t enough is a regulatory requirement. Cost is secondary.
7) Thinking AWS Artifact checks your workload #
Artifact provides AWS’s own certification documents. Customer workload checks go through other tools like Audit Manager.
Wrap-up #
What this post locked in:
- Compliance certifications — SOC / ISO / PCI DSS / HIPAA / GDPR / FedRAMP / FISMA / ITAR
- What certifications mean — control items at the AWS infrastructure level. Customer workloads are separate
- AWS Artifact — Download certification reports and agreements (BAA, DPA)
- Governance and audit tools — CloudTrail (API calls) / Config (resource configuration) / Organizations (account grouping) / SCP (guardrails)
- Security operations tools — GuardDuty (threats) / Inspector (vulnerabilities) / Macie (sensitive data) / Security Hub (aggregation) / Shield (DDoS) / WAF (web)
- Data encryption — At rest and in transit. KMS is the standard; only strong regulation calls for CloudHSM
- Secrets Manager handles automatic rotation; Parameter Store covers general config
- Traps — scope of certifications / CloudTrail-vs-Config confusion / applying separately for Shield Standard / GuardDuty-vs-Inspector confusion / Macie being S3-only / the limits of Artifact
Next — Domain 3 core services #
Domain 2 is done. Next up is the Domain 3 — Cloud Technology and Services (34%), which has the widest surface area on the exam.
#6 Domain 3-1 Core Services — Compute and Storage walks through compute (EC2, Lambda, ECS, Fargate, Elastic Beanstalk, Lightsail) and storage (S3 storage classes, EBS, EFS, FSx, Storage Gateway, Glacier). The volume is large, but it compresses down to a workload → service mapping.