5.3.4. Security Auditing and Compliance Monitoring
💡 First Principle: Security isn't a state you achieve—it's a continuous process you monitor. Even with perfect IAM policies and encryption, unauthorized changes can happen: someone widens a security group, an IAM policy gets modified, or a new S3 bucket is created without encryption. Auditing detects these changes; automated compliance monitoring prevents them from persisting.
AWS provides a layered auditing approach:
AWS CloudTrail records every API call in your account—who called what, from where, and when. For ML systems, this means you can trace who created a training job, who modified an endpoint, and who accessed model artifacts. CloudTrail logs are the primary evidence source for security investigations and compliance audits.
AWS Config monitors resource configuration and evaluates it against rules you define. For example, a Config rule can check that all S3 buckets have encryption enabled, all SageMaker notebooks run in VPC mode, or all IAM roles follow the naming convention. When a resource violates a rule, Config generates a compliance finding and can trigger automated remediation via Lambda.
Amazon Macie specifically monitors S3 buckets for sensitive data (PII, PHI, financial information) using ML-based content analysis. If training data inadvertently contains unmasked Social Security numbers, Macie will flag it. This is particularly relevant for Domain 4 questions about data classification and compliance.
| Tool | What It Monitors | Exam Use Case |
|---|---|---|
| CloudTrail | API calls (who did what, when) | Audit trail, forensics, governance |
| AWS Config | Resource configuration state | Compliance rules, drift detection |
| Amazon Macie | Sensitive data in S3 | PII/PHI detection in training data |
| AWS Security Hub | Aggregated security findings | Central security dashboard |
| IAM Access Analyzer | Resource access from outside account | Unintended external access |
For CI/CD pipeline security—a topic the exam cross-references between Domains 3 and 4—the key principle is that every stage of the pipeline should have security controls. CodeBuild should run in a VPC, CodePipeline stages should have IAM roles scoped to their specific tasks, and model artifacts should be signed or checksummed to prevent tampering between stages.
⚠️ Exam Trap: Questions about "who accessed the training data" require CloudTrail (API-level audit). Questions about "does the training data contain PII" require Macie (content analysis). Questions about "is the S3 bucket properly configured" require AWS Config (configuration compliance). The exam tests whether you can distinguish between these three monitoring layers.
Reflection Question: After a security audit reveals that a SageMaker notebook instance had overly permissive IAM permissions for six months, what AWS tools would you use to (a) determine what the notebook accessed during that period, and (b) prevent similar misconfigurations in the future?
