Domain 2 of 4 · Chapter 2 of 4

Security, Governance & Compliance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Cloud Practitioner premium course — no separate purchase.

Included in this chapter:

  • Compliance, governance & finding the proof
  • Encryption in transit vs at rest
  • Threat detection: which service inspects what
  • Governance & audit services, and exam-pattern recognition

Which security/governance service for the job

Job to be doneServiceWhat it inspectsOutput
Get AWS's compliance reportsAWS ArtifactAWS-published audit documentsDownloadable SOC/ISO/PCI reports
Detect malicious activity / compromised credentialsAmazon GuardDutyCloudTrail, VPC Flow, DNS logsThreat findings
Find software vulnerabilities (CVEs)Amazon InspectorEC2, ECR images, LambdaVulnerability findings
Discover sensitive data in storageAmazon MacieAmazon S3 objectsSensitive-data (PII) findings
Mitigate DDoS attacksAWS ShieldNetwork/transport trafficDDoS protection
Log who did what in the accountAWS CloudTrailAPI calls / account activityActivity audit trail
Track resource config + complianceAWS ConfigResource configurations over timeConfig history + rule compliance
Aggregate all security findingsAWS Security HubFindings from other servicesPrioritized posture dashboard

Decision tree

What is the job?detect / audit / get proofDetect threatsAudit activity/configGet compliance proofWhat is inspected?logs / workloads / S3 dataActivity or config?who did it vs how set upAWS Artifactdownload SOC/ISO/PCIreports on demandLogsWorkloadsS3 dataActivityConfigAmazonGuardDutymalicious activityAmazonInspectorCVEs inEC2/ECR/LambdaAmazonMaciesensitive data in S3AWSCloudTrailwho did what (API)AWS Configconfig history +rule complianceAWS Security Hubaggregates findings fromGuardDuty / Inspector / MacieAlways-on baseline: encrypt at rest (KMS) + in transit (TLS); Shield Standard for DDoSCompliance scope varies by geography, industry, and service

Cheat sheet

  • Pull AWS's compliance reports on demand from AWS Artifact
  • Artifact proves AWS's compliance, not yours
  • Compliance scope is per-service, not blanket across AWS
  • At rest protects stored data; in transit protects the wire
  • KMS manages the keys for encryption at rest; TLS handles in transit
  • S3 encrypts every new bucket at rest by default
  • AWS-managed KMS keys are free; customer-managed keys bill monthly plus per request
  • GuardDuty detects threats from account logs with no agents
  • Inspector scans workloads for software vulnerabilities
  • Macie finds and classifies sensitive data in S3
  • Security Hub aggregates findings; it does not detect threats
  • CloudTrail logs who did what, when, and from where
  • CloudTrail Event history keeps 90 days of management events free
  • Config tracks resource configuration and flags drift over time
  • CloudTrail vs Config: activity log vs configuration checker
  • Audit Manager automates evidence collection for audits
  • Artifact vs Audit Manager: their proof vs your proof
  • In governance, CloudWatch is the destination, not the audit source
  • On AWS you inherit infrastructure certifications you'd otherwise re-audit
  • CloudWatch collects metrics, logs, and dashboards over time

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html
  2. https://aws.amazon.com/compliance/services-in-scope/
  3. https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html
  4. https://aws.amazon.com/kms/pricing/
  5. https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
  6. https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
  7. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html
  8. https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html
  9. https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html
  10. https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html
  11. https://aws.amazon.com/shield/pricing/
  12. https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html
  13. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
  14. https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
  15. https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html