# Compliance

Organizations operating in regulated industries (e.g., finance, healthcare, retail) must **align their cloud architecture** with compliance requirements such as **HIPAA, PCI DSS, GDPR, FedRAMP, and SOC 2**. AWS provides various **security, auditing, and governance services** to help organizations meet these compliance standards.

#### **✅ Why is Compliance Alignment Important?**

✔ **Reduces risk of data breaches**\
✔ **Meets legal & industry requirements**\
✔ **Ensures data privacy & security**\
✔ **Facilitates third-party audits & certifications**

***

### **🔹 AWS Compliance Services & Tools**

AWS provides a range of **services and best practices** to help customers comply with regulatory standards.

| **AWS Service**                            | **Purpose & Compliance Benefit**                                                                              |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------- |
| **AWS Security Hub**                       | Centralized security compliance monitoring & continuous checks against best practices (e.g., CIS, PCI DSS).   |
| **AWS Config**                             | Tracks AWS resource configurations to ensure compliance with security and governance policies.                |
| **AWS Audit Manager**                      | Automates evidence collection for compliance audits.                                                          |
| **AWS Control Tower**                      | Simplifies multi-account compliance governance & enforces security guardrails.                                |
| **AWS Organizations & SCPs**               | Restricts AWS services and configurations across multiple accounts to enforce security policies.              |
| **Amazon Macie**                           | Detects and protects sensitive data such as **PII (Personally Identifiable Information)** and financial data. |
| **AWS Key Management Service (KMS)**       | Encrypts sensitive data to meet **HIPAA, GDPR, and PCI DSS encryption requirements**.                         |
| **AWS Identity & Access Management (IAM)** | Enforces **least privilege access controls** using IAM policies and role-based access.                        |
| **AWS CloudTrail**                         | Provides **audit logs** for compliance reporting and security investigations.                                 |
| **AWS Shield & WAF**                       | Protects against **DDoS attacks** and **web application vulnerabilities**.                                    |
| **Amazon GuardDuty**                       | Threat detection for **malware, unauthorized access, and security risks**.                                    |

***

### **🔹 SecureCart Compliance Alignment Example**

#### **Scenario: SecureCart Needs to Meet PCI DSS and GDPR Compliance**

SecureCart, an **e-commerce company**, must comply with **PCI DSS** for processing payments and **GDPR** for protecting customer data.

#### **1️⃣ Secure Payment Processing (PCI DSS)**

✅ **AWS Services Used:**\
✔ **AWS Key Management Service (KMS)** → Encrypts payment transaction data.\
✔ **AWS Shield Advanced** → Protects against **DDoS attacks** on checkout APIs.\
✔ **AWS WAF** → Blocks SQL injection attacks that could expose credit card details.\
✔ **Amazon GuardDuty** → Detects suspicious login attempts and API requests.

#### **2️⃣ Data Privacy & Protection (GDPR)**

✅ **AWS Services Used:**\
✔ **Amazon Macie** → Automatically **detects PII** (e.g., names, emails, credit card numbers) in S3.\
✔ **AWS IAM & Resource Policies** → Enforces **role-based access** to customer data.\
✔ **AWS Config** → Ensures encryption policies are correctly applied to all resources.\
✔ **AWS CloudTrail** → Logs all API calls to track access to personal data.

***

### **🔹 Implementing Compliance in AWS**

#### **1️⃣ Enforce Compliance with AWS Config & Security Hub**

**✅ Steps:**

1. Enable **AWS Config** to track changes to resources.
2. Use **AWS Config Rules** to check for:
   * **Encrypted S3 Buckets** (`AWS-S3-Bucket-Encryption-Enabled`).
   * **IAM Root User MFA Enforcement** (`IAM-Root-User-MFA-Enabled`).
   * **Unrestricted Security Groups** (`restricted-ssh`).
3. Enable **AWS Security Hub** to continuously check compliance status.

**🔹 Why?**\
✔ **Ensures encryption & access control policies** are enforced.\
✔ **Automates compliance checks** to prevent configuration drift.

***

#### **2️⃣ Centralized Compliance Governance with AWS Control Tower**

SecureCart uses **AWS Control Tower** to **enforce security guardrails** across multiple accounts.

**✅ Steps:**

1. Set up **AWS Organizations** and enable **AWS Control Tower**.
2. Define **Service Control Policies (SCPs)** to:
   * **Deny IAM user creation** (Enforces IAM Role usage).
   * **Restrict S3 public access**.
   * **Prevent unapproved AWS Regions from being used**.
3. Enable **AWS Config and Security Hub** for all accounts.

**🔹 Why?**\
✔ **Simplifies compliance for multi-account environments**.\
✔ **Enforces organization-wide security best practices**.

***

#### **3️⃣ Secure Data Encryption & Key Management**

SecureCart encrypts all **customer PII and payment transactions** using **AWS KMS**.

**✅ Steps:**

1. **Enable S3 default encryption** with **KMS CMKs**.
2. Enforce **IAM permissions** to restrict access to encryption keys.
3. **Enable automatic key rotation** in AWS KMS.
4. **Use AWS CloudTrail to log decryption events** for auditing.

**🔹 Why?**\
✔ Meets **PCI DSS & GDPR encryption requirements**.\
✔ Prevents **unauthorized access** to sensitive customer data.

***

#### **4️⃣ Auditing & Compliance Reporting with AWS Audit Manager**

SecureCart must provide audit reports for **GDPR & PCI DSS compliance**.

**✅ Steps:**

1. Enable **AWS Audit Manager** to automate compliance reporting.
2. Define **custom audit frameworks** (e.g., GDPR, PCI DSS).
3. Generate **audit-ready reports** for regulatory requirements.

**🔹 Why?**\
✔ Reduces **manual compliance work**.\
✔ Provides **evidence for security audits**.

***

### **✅ Summary**

| **Compliance Requirement**                | **AWS Services Used**                       |
| ----------------------------------------- | ------------------------------------------- |
| **PCI DSS (Payment Security)**            | AWS KMS, AWS Shield, WAF, GuardDuty         |
| **GDPR (Data Privacy & Access Controls)** | Amazon Macie, IAM, AWS Config, CloudTrail   |
| **Continuous Compliance Monitoring**      | AWS Security Hub, AWS Config, Audit Manager |
| **Governance & Multi-Account Compliance** | AWS Organizations, AWS Control Tower, SCPs  |
| **Data Encryption & Access Management**   | AWS KMS, IAM, Resource Policies             |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.3-determine-appropriate-data-security-controls/compliance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.