Navigating AWS Compliance & Governance: A Comprehensive Curriculum Overview

This curriculum provides a structured pathway for understanding how to locate, evaluate, and utilize AWS compliance information. It focuses on the tools and documentation necessary for customers to verify that their AWS environment meets industry-specific and regional regulatory standards.

Prerequisites

Before starting this module, students should possess the following foundational knowledge:

• Cloud Fundamentals: Basic understanding of cloud computing (IaaS, PaaS, SaaS).
• AWS Shared Responsibility Model: A firm grasp of the boundary between AWS responsibilities (Security OF the Cloud) and Customer responsibilities (Security IN the Cloud).
• Identity & Access Management (IAM): Understanding of users, roles, and permissions, as access to compliance documents is managed through IAM.

Module Breakdown

Learning Objectives per Module

Module 1: The AWS Compliance Framework

• Objective: Explain how AWS uses third-party auditors to validate its infrastructure.
• Outcome: Students will be able to navigate the public-facing AWS Compliance Page to find service-specific compliance status.

Module 2: AWS Artifact Deep-Dive

• Objective: Demonstrate the process of finding and downloading compliance artifacts.
• Outcome: Students will successfully retrieve an AWS SOC or ISO report from the AWS Management Console.

Module 3: Governance & Monitoring Tools

• Objective: Differentiate between auditing (CloudTrail), configuration tracking (AWS Config), and automated assessment (Audit Manager).
• Outcome: Students will design a basic governance workflow using integrated AWS services.

Visual Anchors

Compliance Discovery Flow

The Compliance Pyramid

Success Metrics

To demonstrate mastery of this curriculum, the learner must:

1. Locate specific artifacts: Successfully identify where to download the SOC 2 Type II report for a specific AWS Region.
2. Define Audit Paths: Correcty identify which service (CloudTrail vs. Artifact) to use when an auditor asks for "the list of all API calls made last Tuesday."
3. Governance Mapping: Map at least three AWS services to specific regulatory controls (e.g., using AWS Config for continuous compliance monitoring).

Real-World Application

• Financial Services: Use AWS Artifact to provide PCI DSS Attestation of Compliance (AOC) to payment processors.
• Healthcare: Accessing and signing the Business Associate Addendum (BAA) through AWS Artifact to ensure HIPAA compliance.
• Government: Utilizing FedRAMP authorization packages for agency-level authorization to operate (ATO).

Examples Section

[!IMPORTANT] Understanding specific examples of 'Artifacts' is key to exam success.

Example 1: The SOC Report

• Scenario: A tech startup is being acquired. The acquiring company's legal team asks for proof that the data center is secure.
• Solution: The startup downloads the Service Organization Control (SOC) 1 or 2 report from AWS Artifact to provide independent 3rd-party validation of AWS controls.

Example 2: Continuous Governance with Audit Manager

• Scenario: A company needs to prepare for an annual audit without manual data collection.
• Solution: They use AWS Audit Manager to automatically collect evidence from AWS Config and CloudTrail, mapping it directly to the NIST 800-53 framework.

Example 3: Public Compliance Page

• Scenario: A developer wants to know if Amazon DynamoDB is "in scope" for HIPAA before building an app.
• Solution: They visit the AWS Services in Scope by Compliance Program webpage to verify DynamoDB's status for HIPAA/HITECH.