AWS Compliance and Governance: Curriculum Roadmap
AWS compliance and governance concepts
AWS Compliance and Governance: Curriculum Roadmap
This curriculum provides a comprehensive overview of how AWS manages security, governance, and compliance, and the tools available to customers to maintain their own security posture within the AWS Cloud.
## Prerequisites
Before beginning this module, students should have a baseline understanding of the following:
- Cloud Fundamentals: Basic understanding of what cloud computing is (on-demand delivery, pay-as-you-go).
- Basic IT Security: Awareness of common security terms like encryption, firewalls, and user authentication.
- AWS Global Infrastructure: Familiarity with Regions and Availability Zones.
## Module Breakdown
| Module | Topic | Difficulty | Key Focus |
|---|---|---|---|
| 1 | The Shared Responsibility Model | Beginner | Dividing tasks between AWS and the Customer. |
| 2 | Identity & Access Management (IAM) | Intermediate | Least privilege, MFA, and Root account protection. |
| 3 | Governance & Monitoring | Intermediate | Auditing with CloudTrail, monitoring with CloudWatch. |
| 4 | Compliance & Artifacts | Beginner | Regulatory frameworks (PCI, SOC) and AWS Artifact. |
| 5 | Security Toolset | Intermediate | Shield, GuardDuty, and Inspector. |
## Learning Objectives per Module
Module 1: Shared Responsibility
- Differentiate between "Security of the Cloud" (AWS) and "Security in the Cloud" (Customer).
- Identify how responsibilities shift based on service type (e.g., EC2 vs. Lambda).
Module 2: Access Management Capabilities
- Define the Principle of Least Privilege.
- Protect the Root user and implement Multi-Factor Authentication (MFA).
- Manage users, groups, and policies within IAM and IAM Identity Center.
Module 3: Governance & Audit
- Trace API calls using AWS CloudTrail for auditing.
- Assess resource configurations using AWS Config.
- Visualize performance metrics using Amazon CloudWatch.
Module 4: Compliance Concepts
- Access compliance reports (SOC, PCI) through AWS Artifact.
- Understand geographic and industry-specific compliance requirements.
## Visual Anchors
The Shared Responsibility Model
The Security (CIA) Triad
## Success Metrics
To master this curriculum, a student must be able to:
- Correctly assign a security task (e.g., patching an EC2 OS) to the correct party in the Shared Responsibility Model.
- List 3 tasks that only the AWS Root User can perform.
- Identify the specific AWS service used to download a SOC 2 report.
- Explain the difference between encryption at rest and encryption in transit.
- Diagram a basic IAM hierarchy using the principle of least privilege.
## Real-World Application
Career Relevance
- Cloud Architects: Use these concepts to design "Well-Architected" systems that pass audits.
- Compliance Officers: Use AWS Artifact to provide evidence to regulators during annual reviews.
- Security Engineers: Implement IAM policies to prevent data breaches.
Industry Scenarios
- Healthcare: Using AWS services to ensure HIPAA compliance for patient data.
- Finance: Using AWS Audit Manager to prepare for PCI DSS (Credit Card) audits.
## Examples
[!TIP] Scenario 1: The Audit Trail An administrator notices a new S3 bucket was created at 2:00 AM. They use AWS CloudTrail to find the exact IAM user identity, the source IP address, and the time the
CreateBucketAPI call was made.
[!IMPORTANT] Scenario 2: Least Privilege Instead of giving a developer full Administrative access, you provide them with a policy that only allows
s3:ListBucketands3:GetObjecton a specific project bucket. This limits the "blast radius" if their credentials are ever compromised.
| Tool | Purpose | Real-World Example |
|---|---|---|
| AWS Artifact | Compliance Documentation | Downloading a PDF to prove to a bank that AWS infrastructure is secure. |
| AWS Shield | DDoS Protection | Automatically mitigating a SYN flood attack on a web application. |
| AWS Inspector | Vulnerability Scanning | Scanning an EC2 instance to see if the installed software has known security flaws. |