5.2.2. AWS Services for Governance and Compliance (AWS Config, CloudTrail, Audit Manager)

First Principle: AWS provides a suite of governance services that enable continuous monitoring, logging, and auditing of your environment, helping to enforce policies and simplify compliance.

These services give you the visibility and control needed for good governance.

• For Logging and Monitoring:
  • AWS CloudTrail: Records every API call made in your AWS account. It answers the question, "Who did what, where, and when?" This is your primary audit trail.
  • AWS Config: Assesses, audits, and evaluates the configurations of your AWS resources. It answers the question, "Is my environment configured correctly according to my policies?" It can alert you if a resource (like an S3 bucket) becomes non-compliant.
  • Amazon CloudWatch: Collects logs and metrics from your resources and applications, enabling real-time monitoring and alerting.
• For Auditing and Reporting:
  • AWS Audit Manager: Helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. It automates the collection of evidence.
• For General Best Practices:
  • AWS Trusted Advisor: An automated service that inspects your AWS environment and provides real-time guidance on cost optimization, performance, security, and fault tolerance.

Scenario: A company has a policy that all S3 buckets used for ML must have encryption enabled. A developer accidentally creates a new bucket without enabling encryption.

Reflection Question: How would AWS Config detect this non-compliant configuration and alert the security team? How would AWS CloudTrail show exactly who created the bucket and when?

💡 Tip: CloudTrail is for logging actions. AWS Config is for monitoring the state of configurations. Audit Manager is for automating the collection of evidence for audits.