3.2.4. Compliance and Governance (AWS Artifact)
š” First Principle: AWS supports compliance with global standards and regulations by providing tools and documentation, enabling customers to meet their governance and auditing requirements.
Compliance refers to adherence to legal, regulatory, or industry-specific standards. Governance refers to the framework that ensures an organization's objectives are met through controlled and strategic IT operations. AWS provides services and resources to help customers meet their compliance and governance requirements.
Key Concepts:
- AWS Compliance Programs: AWS maintains compliance with a wide range of global, national, and industry-specific security standards and certifications (e.g., ISO 27001, SOC reports, PCI DSS, HIPAA, GDPR). This helps customers build compliant applications on AWS.
- AWS Artifact: A service that provides on-demand access to AWS's security and compliance reports and select online agreements. Provides customers with access to AWS's security and compliance reports and certifications (e.g., SOC reports), which can be downloaded and shared with auditors to demonstrate AWS's compliance posture.
- AWS Config: Continuously monitors and records AWS resource configurations and their changes over time. Helps assess and enforce compliance of customer resources against Config Rules.
- AWS CloudTrail: Records API calls and resource changes. Provides an audit trail for compliance.
- AWS Organizations: For centralized management and governance across multiple AWS accounts, including enforcing Service Control Policies (SCPs) for compliance.
Scenario: A company needs to prove to its auditors that its cloud environment adheres to industry-standard security certifications (e.g., ISO 27001). They also need to continuously monitor their AWS resources for compliance with internal policies.
Reflection Question: How does AWS support compliance by providing tools like AWS Artifact (for compliance reports) and AWS Config (for continuous monitoring of resource configurations), enabling businesses to meet their governance and auditing requirements?