AWS Compliance Building Blocks
AWS provides a set of services specifically designed to help you build, monitor, and demonstrate compliance. Understanding what each service does and how they work together is essential before you start implementing any compliance framework.
This page covers the key AWS compliance services at a conceptual level. You will learn what each service does, where it fits in the compliance lifecycle, and how to think about assembling them into a compliance architecture.
AWS Artifact: Compliance Reports and Agreements​
AWS Artifact is your starting point for compliance on AWS. It provides on-demand access to AWS compliance reports and agreements.
What it provides:
- AWS compliance reports -- SOC 1, SOC 2, SOC 3, PCI DSS Attestation of Compliance, ISO 27001 certificates, and more
- Agreements -- Business Associate Addendum (BAA) for HIPAA, GDPR Data Processing Addendum, and others
- Third-party audit reports for AWS infrastructure
Why it matters: Before you can claim your workload runs on compliant infrastructure, you need AWS's compliance documentation as evidence. Auditors will ask for it. Artifact is where you get it.
You can accept agreements (like the BAA for HIPAA) directly in Artifact. Until you accept the BAA, AWS is not your Business Associate, and you cannot use AWS for PHI workloads.
AWS Config: Compliance Rules​
AWS Config continuously monitors and records your AWS resource configurations and evaluates them against rules you define.
What it provides:
- Configuration recording -- Tracks every configuration change to your resources over time
- Managed rules -- Pre-built rules for common compliance checks (e.g., "Are all S3 buckets encrypted?", "Is CloudTrail enabled?")
- Custom rules -- Write your own compliance rules using Lambda functions
- Conformance packs -- Bundles of rules mapped to compliance frameworks (HIPAA, PCI DSS, CIS Benchmarks)
- Compliance timeline -- Shows the compliance status of any resource over time
Why it matters: Config is how you answer the question "Are my resources configured correctly right now?" It provides continuous compliance monitoring rather than point-in-time snapshots, and it gives you the historical record auditors need.
AWS Audit Manager: Audit Evidence Collection​
AWS Audit Manager helps you continuously collect evidence relevant to your compliance audits.
What it provides:
- Pre-built frameworks -- Assessment templates for HIPAA, PCI DSS, GDPR, SOC 2, and more
- Automated evidence collection -- Pulls evidence from Config, CloudTrail, Security Hub, and other sources
- Manual evidence support -- Upload manual evidence (policies, procedures, screenshots) alongside automated evidence
- Assessment reports -- Generate audit-ready reports that map evidence to specific controls
Why it matters: The most painful part of a compliance audit is collecting evidence. Audit Manager automates the collection and organizes it by control, so when your auditor asks "Show me evidence for access control logging," you have it ready.
AWS Security Hub: Compliance Standards Dashboard​
AWS Security Hub provides a centralized view of your security and compliance posture across your AWS accounts.
What it provides:
- Compliance standards -- Built-in checks for CIS AWS Foundations Benchmark, PCI DSS, AWS Foundational Security Best Practices
- Compliance score -- Percentage-based compliance score for each enabled standard
- Findings aggregation -- Consolidates findings from GuardDuty, Inspector, Macie, Config, and third-party tools
- Cross-account visibility -- Aggregates compliance status across multiple AWS accounts
Why it matters: Security Hub gives you a single dashboard to see your compliance posture. When a control fails, you see it immediately. It also provides the aggregated view that CISOs and compliance officers need to report on organizational compliance.
AWS Control Tower: Multi-Account Governance​
AWS Control Tower provides the governance layer for multi-account AWS environments.
What it provides:
- Landing zone -- Pre-configured multi-account environment with security baselines
- Guardrails -- Preventive (SCPs) and detective (Config rules) guardrails for governance
- Account factory -- Automated provisioning of new accounts with compliance baselines already applied
- Dashboard -- Visibility into guardrail compliance across all accounts
Why it matters: Compliance at scale requires a multi-account strategy. You separate workloads by compliance boundary (e.g., HIPAA workloads in dedicated accounts, PCI CDE in isolated accounts). Control Tower automates the setup and ongoing governance of this structure.
How These Services Work Together​
The compliance services are not standalone tools. They form an integrated architecture:
Control Tower (governance structure)
|
├── Sets up accounts with guardrails
|
├── AWS Config (monitors resource configurations)
| |
| ├── Feeds findings into Security Hub
| └── Feeds evidence into Audit Manager
|
├── CloudTrail (records API activity)
| |
| └── Feeds evidence into Audit Manager
|
├── Security Hub (aggregates and scores compliance)
| |
| └── Feeds findings into Audit Manager
|
└── Audit Manager (collects and organizes evidence for audits)
|
└── Generates audit-ready reports
Artifact sits alongside this as your source of AWS's own compliance documentation.
Service-to-Requirement Mapping​
| Compliance Requirement | Primary AWS Service | Supporting Services |
|---|---|---|
| Configuration compliance monitoring | AWS Config | Security Hub |
| Audit trail and activity logging | CloudTrail | CloudWatch Logs, S3 |
| Encryption at rest | KMS | S3, EBS, RDS, DynamoDB |
| Encryption in transit | ACM (TLS certificates) | ALB, CloudFront, API Gateway |
| Data classification and discovery | Amazon Macie | S3, Glue |
| Threat detection | GuardDuty | Security Hub, EventBridge |
| Vulnerability management | Amazon Inspector | Security Hub, ECR |
| Access control and identity | IAM, IAM Identity Center | Organizations, SCP |
| Network segmentation | VPC, Security Groups, NACLs | AWS Network Firewall, PrivateLink |
| Audit evidence collection | Audit Manager | Config, CloudTrail, Security Hub |
| Multi-account governance | Control Tower | Organizations, SCPs |
| Compliance reporting | Security Hub, Audit Manager | Config, Artifact |
| Secrets management | Secrets Manager, Parameter Store | KMS |
| DDoS protection | AWS Shield, AWS WAF | CloudFront, Route 53 |
How to Check If an AWS Service Is Compliance-Eligible​
Not all AWS services are eligible for all compliance frameworks. Before using a service for compliance-sensitive workloads, verify its eligibility:
For HIPAA:
- Check the AWS HIPAA Eligible Services page
- Only HIPAA-eligible services are covered under the BAA
- If a service is not on the list, do not use it for PHI workloads
- AWS updates this list as more services become eligible
For PCI DSS:
- Check the AWS PCI DSS Compliance page
- AWS is a PCI DSS Level 1 Service Provider
- The Attestation of Compliance (AOC) lists in-scope services
- Download the AOC from AWS Artifact
For Other Frameworks:
- Check the AWS Compliance Programs page
- Use AWS Artifact to download specific compliance reports
- Look for the service in the scope section of each compliance report
- When in doubt, contact AWS compliance support
General rule: Stick to well-established services for compliance-sensitive workloads. Newer or preview services may not yet have the compliance certifications you need.
Flashcards​
What is AWS Artifact used for?
Click to revealAWS Artifact provides on-demand access to AWS compliance reports (SOC, PCI, ISO) and agreements (BAA for HIPAA, GDPR DPA). It is where you download AWS's compliance documentation and accept compliance agreements.