Curriculum Overview: AWS Compliance and Governance Frameworks

This curriculum provides a structured pathway to mastering the identification and management of compliance requirements across various AWS services, a critical component of the AWS Certified Cloud Practitioner (CLF-C02) exam.

## Prerequisites

Before starting this module, students should have a foundational understanding of:

Cloud Computing Basics: Understanding of On-demand delivery, Pay-as-you-go pricing, and Scalability.
AWS Global Infrastructure: Familiarity with Regions, Availability Zones, and Edge Locations.
Identity and Access Management (IAM): Basic knowledge of users, groups, and the principle of least privilege.

## Module Breakdown

Module	Topic	Difficulty	Focus Area
1	The Shared Responsibility Model	Beginner	Who is responsible for what (AWS vs. Customer).
2	Compliance Discovery Tools	Beginner	Finding reports and agreements via AWS Artifact.
3	Auditing and Monitoring	Intermediate	Real-time tracking with CloudTrail and CloudWatch.
4	Resource Governance	Intermediate	Managing configurations with AWS Config and Audit Manager.
5	Service-Specific Compliance	Advanced	How requirements shift between IaaS, PaaS, and SaaS.

## Learning Objectives per Module

Module 1: The Shared Responsibility Model

Outcome: Differentiate between security "of" the cloud and security "in" the cloud.
Key Concept: Understand how responsibility shifts based on the service model (e.g., EC2 vs. Lambda).

Module 2: AWS Artifact & Documentation

Outcome: Locate and download AWS compliance reports (SOC, PCI DSS) for auditors.
Key Concept: Using AWS Artifact as a central repository for compliance "artifacts."

Module 3: Auditing & Monitoring

Outcome: Differentiate between API logging (CloudTrail) and resource monitoring (CloudWatch).
Key Concept: Establishing an audit trail for compliance verification.

Module 4: AWS Config & Audit Manager

Outcome: Automate the assessment of resource configurations against compliance rules.
Key Concept: Continuous compliance monitoring and evidence collection.

## Visual Anchors

Compliance Service Ecosystem

Loading Diagram...

The Shift in Responsibility

Loading Diagram...

## Examples: Compliance in Action

[!NOTE] Real-World Scenario 1: Healthcare (HIPAA) A hospital uses AWS to store Patient Health Information (PHI).

Compliance Step: Use AWS Artifact to sign a Business Associate Addendum (BAA) with AWS.

Security Step: Enable encryption at rest in Amazon S3 using keys managed by AWS KMS.

[!TIP] Real-World Scenario 2: Finance (PCI DSS) A fintech startup processes credit card payments.

Compliance Step: Run Amazon Inspector to scan EC2 instances for vulnerabilities required by PCI standards.

Auditing Step: Use AWS CloudTrail to log every access request to the payment database for future audits.

## Success Metrics

To demonstrate mastery of this curriculum, the student must be able to:

Categorize Services: Correctly identify whether a security task (like patching the OS) belongs to AWS or the customer for a given service.
Tool Selection: Choose the correct tool for a scenario (e.g., "Which service provides a list of SOC reports?" $\rightarrow$ AWS Artifact).
Explain Variation: Describe why the compliance burden is higher for an Amazon EC2 user than for an AWS Lambda user.
Tagging Logic: Explain how resource tags can be used to identify assets subject to specific regulations (e.g., tagging a resource as Compliance: HIPAA).

## Real-World Application

Understanding these requirements is essential for roles such as:

Cloud Architect: Ensuring the architecture meets regional data residency laws (e.g., GDPR).
Security Analyst: Implementing continuous monitoring to detect deviations from corporate governance.
Compliance Officer: Gathering evidence for annual audits without manually inspecting every server.

Comparison Table: Audit vs. Config vs. Artifact

Feature	AWS CloudTrail	AWS Config	AWS Artifact
Primary Goal	Who did what? (API Logs)	What does it look like? (History)	Is AWS compliant? (Reports)
Use Case	Forensic investigation	Compliance auditing of resources	Legal documentation for auditors
Example	Tracking who deleted an S3 bucket	Checking if all EBS volumes are encrypted	Downloading a SOC 2 Type II report

Curriculum Overview: AWS Compliance and Governance Frameworks

## Prerequisites

Before starting this module, students should have a foundational understanding of:

Cloud Computing Basics: Understanding of On-demand delivery, Pay-as-you-go pricing, and Scalability.
AWS Global Infrastructure: Familiarity with Regions, Availability Zones, and Edge Locations.
Identity and Access Management (IAM): Basic knowledge of users, groups, and the principle of least privilege.

## Module Breakdown

Module	Topic	Difficulty	Focus Area
1	The Shared Responsibility Model	Beginner	Who is responsible for what (AWS vs. Customer).
2	Compliance Discovery Tools	Beginner	Finding reports and agreements via AWS Artifact.
3	Auditing and Monitoring	Intermediate	Real-time tracking with CloudTrail and CloudWatch.
4	Resource Governance	Intermediate	Managing configurations with AWS Config and Audit Manager.
5	Service-Specific Compliance	Advanced	How requirements shift between IaaS, PaaS, and SaaS.

## Learning Objectives per Module

Module 1: The Shared Responsibility Model

Outcome: Differentiate between security "of" the cloud and security "in" the cloud.
Key Concept: Understand how responsibility shifts based on the service model (e.g., EC2 vs. Lambda).

Module 2: AWS Artifact & Documentation

Outcome: Locate and download AWS compliance reports (SOC, PCI DSS) for auditors.
Key Concept: Using AWS Artifact as a central repository for compliance "artifacts."

Module 3: Auditing & Monitoring

Outcome: Differentiate between API logging (CloudTrail) and resource monitoring (CloudWatch).
Key Concept: Establishing an audit trail for compliance verification.

Module 4: AWS Config & Audit Manager

Outcome: Automate the assessment of resource configurations against compliance rules.
Key Concept: Continuous compliance monitoring and evidence collection.

## Visual Anchors

Compliance Service Ecosystem

Loading Diagram...

The Shift in Responsibility

Loading Diagram...

## Examples: Compliance in Action

[!NOTE] Real-World Scenario 1: Healthcare (HIPAA) A hospital uses AWS to store Patient Health Information (PHI).

Compliance Step: Use AWS Artifact to sign a Business Associate Addendum (BAA) with AWS.

Security Step: Enable encryption at rest in Amazon S3 using keys managed by AWS KMS.

[!TIP] Real-World Scenario 2: Finance (PCI DSS) A fintech startup processes credit card payments.

Compliance Step: Run Amazon Inspector to scan EC2 instances for vulnerabilities required by PCI standards.

Auditing Step: Use AWS CloudTrail to log every access request to the payment database for future audits.

## Success Metrics

To demonstrate mastery of this curriculum, the student must be able to:

Categorize Services: Correctly identify whether a security task (like patching the OS) belongs to AWS or the customer for a given service.
Tool Selection: Choose the correct tool for a scenario (e.g., "Which service provides a list of SOC reports?" $\rightarrow$ AWS Artifact).
Explain Variation: Describe why the compliance burden is higher for an Amazon EC2 user than for an AWS Lambda user.
Tagging Logic: Explain how resource tags can be used to identify assets subject to specific regulations (e.g., tagging a resource as Compliance: HIPAA).

## Real-World Application

Understanding these requirements is essential for roles such as:

Cloud Architect: Ensuring the architecture meets regional data residency laws (e.g., GDPR).
Security Analyst: Implementing continuous monitoring to detect deviations from corporate governance.
Compliance Officer: Gathering evidence for annual audits without manually inspecting every server.

Comparison Table: Audit vs. Config vs. Artifact

Feature	AWS CloudTrail	AWS Config	AWS Artifact
Primary Goal	Who did what? (API Logs)	What does it look like? (History)	Is AWS compliant? (Reports)
Use Case	Forensic investigation	Compliance auditing of resources	Legal documentation for auditors
Example	Tracking who deleted an S3 bucket	Checking if all EBS volumes are encrypted	Downloading a SOC 2 Type II report