Domain 6 of 6 · Chapter 3 of 3

Compliance Evaluation

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • AWS Config: the resource-level compliance engine
  • Conformance packs and aggregators: packaging and scaling Config
  • Security Hub: standards, controls, and the security score
  • Evidence and architecture review: Audit Manager, Artifact, WA Tool

Compliance-evaluation services: what each one actually evaluates

DimensionAWS ConfigSecurity HubAudit ManagerAWS ArtifactWell-Architected Tool
What it evaluatesEach resource's configurationAccount posture vs standardsEvidence about your usageAWS's own complianceWorkload architecture
OutputCompliant / noncompliant per ruleSecurity score per standardAssessment reportDownloadable AWS audit reportsHigh/medium-risk issues + plan
CadenceContinuous (on change + periodic)Continuous checksContinuous evidence collectionOn-demand downloadPoint-in-time review
Auto-remediationYes, via SSM AutomationFindings only (automation rules / EventBridge), not the resourceNo (evidence only)NoNo (recommendations only)
Multi-account scopeAggregatorCentral config + cross-RegionMulti-account assessmentsOrg-wide agreementsPer-workload
Shared-responsibility sideYour resourcesYour resourcesYour resourcesAWS infrastructureYour architecture

Decision tree

Need audit evidence?an auditor wants proofyesAbout whom?AWS itself vs your usageAWSAWS Artifactyour usageAudit ManagernoReviewing the design?architecture, not live resourcesyesWell-Architected ToolSecurity pillarno, live resourcesScore vs a standard?CIS / PCI DSS / NISTyesSecurity Hub standardper-standard security scoreno, just fix itConfig rule+ SSM remediationAt scale: conformance pack across the org;Config aggregator for the org-wide view

Cheat sheet

  • AWS Config evaluates one resource against one rule; Security Hub scores your account against a standard
  • A configuration item is the versioned snapshot Config records for each resource
  • Config rules are managed (AWS-authored) or custom (your Lambda/Guard logic)
  • Config rules fire on a configuration-change trigger or a periodic trigger
  • Auto-remediate noncompliant resources with an SSM Automation document on the Config rule
  • A conformance pack ships many Config rules plus remediations as one YAML unit
  • Deploy baselines down with organization conformance packs; collect data up with a Config aggregator
  • Security Hub standards are FSBP, CIS, PCI DSS, and NIST SP 800-53
  • Security Hub runs most controls through service-linked AWS Config rules, so Config must be on
  • The security score is the percentage of passed controls per standard
  • Security Hub normalizes findings into ASFF and ingests GuardDuty, Macie, Inspector, and Access Analyzer
  • Scale Security Hub with central configuration and cross-Region aggregation
  • Audit Manager collects evidence about your usage; Artifact downloads AWS's own attestations
  • Audit Manager pulls evidence from Config, Security Hub, CloudTrail, and AWS API calls
  • AWS Artifact provides on-demand AWS compliance reports and legal agreements, free of charge
  • Use the Well-Architected Tool's Security pillar to review architecture, not live resources
  • Posture services measure configuration; GuardDuty detects active threats
  • Org-level S3 Storage Lens advanced metrics give organization-wide data-protection visibility
  • S3 Storage Lens publishes daily CloudWatch metrics, only in the dashboard's home Region
  • Org-level Storage Lens needs trusted access plus a delegated administrator
  • Consolidated control findings collapse duplicate findings across standards
  • Suppress accepted findings with the SUPPRESSED workflow status, automated by rules
  • Custom Config rules call PutEvaluations; proactive evaluation checks resources before they exist
  • Audit Manager's digest.txt verifies an assessment report wasn't altered
  • Audit Manager runs from a delegated administrator designated separately in each Region
  • Build custom Audit Manager controls on common controls to auto-pick-up new data sources

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. What Is AWS Config?
  2. Evaluating Resources with AWS Config Rules
  3. Remediating Noncompliant Resources with AWS Config Rules
  4. Conformance Packs for AWS Config
  5. Managing Conformance Packs Across an Organization
  6. Multi-Account Multi-Region Data Aggregation for AWS Config
  7. What Is AWS Security Hub?
  8. AWS Security Finding Format (ASFF)
  9. What Is AWS Audit Manager?
  10. What Is AWS Artifact?
  11. What Is AWS Well-Architected Tool?