AWS Solutions Architect Compliance: Complete Study Guide

Q: What is the shared responsibility model in AWS compliance?

The shared responsibility model defines that AWS is responsible for infrastructure-level compliance, securing the cloud services, hardware, and facilities. You are responsible for compliance of your applications, data, and how you configure AWS services. For example, AWS ensures its data centers meet compliance standards and that services like KMS function correctly. You must enable encryption, implement access controls, and maintain audit logs. Understanding this distinction is critical for the exam. You cannot rely solely on AWS compliance certifications without implementing security measures on your side. Different services shift the responsibility line. With managed services like DynamoDB, AWS handles more infrastructure compliance. With EC2, you have more responsibility for the operating system and application security.

Q: How does AWS KMS support compliance requirements?

AWS KMS provides centralized key management essential for encryption compliance. KMS creates and manages encryption keys that you control with key policies, restricting who uses keys and tracking usage through CloudTrail. KMS supports automatic key rotation to meet compliance timelines for regular key changes. Create multi-region keys for disaster recovery while maintaining compliance across regions. KMS integrates with virtually every AWS storage service including S3, EBS, RDS, and DynamoDB, allowing you to enforce consistent encryption policies. For regulated industries, KMS's HSM-based backing provides additional assurance that encryption keys are protected in hardware security modules. The exam expects you to design key management strategies, understand key policies, and recommend KMS solutions for compliance scenarios.

Q: What are the key differences between AWS Config and CloudTrail for compliance?

CloudTrail records API calls and user actions, showing who did what and when. This creates an audit trail for forensics and compliance investigations. AWS Config tracks resource configurations over time and checks compliance with desired states. It answers what resources exist and whether they meet compliance rules. CloudTrail detects unauthorized changes and suspicious access patterns. Config detects configuration drift and resources violating compliance rules. For comprehensive compliance, use both services together. CloudTrail shows that someone created an unencrypted S3 bucket. Config identifies that the bucket violates your encryption compliance rule. The exam tests scenarios requiring both services and understanding what each reveals about your compliance posture.

Q: How do you design a compliant data architecture for HIPAA or PCI-DSS?

HIPAA and PCI-DSS compliant architectures require encryption of Protected Health Information (PHI) and cardholder data both in transit and at rest using AWS KMS. Network isolation is critical for keeping sensitive data in private subnets without internet access. Implement these additional controls: Multi-factor authentication for privileged access Comprehensive logging through CloudTrail, Config, and VPC Flow Logs Least privilege access using IAM roles and policies Encrypted backups and disaster recovery Regular security assessments using Inspector The exam expects you to design end-to-end architectures incorporating these elements appropriately for the regulated data type and compliance framework.

By FluentFlash Research Team·Updated 2026-04-30

The AWS Solutions Architect certification requires deep knowledge of compliance frameworks, security practices, and regulatory requirements. Compliance is critical for designing cloud infrastructure that meets industry standards and legal obligations.

You'll encounter compliance in nearly every architecture scenario on the exam. This guide covers the core concepts: AWS compliance programs, data encryption standards, audit controls, and regulations like HIPAA, PCI-DSS, and GDPR.

Mastering compliance means understanding which services to use and how to combine them into secure, auditable systems. Let's explore what you need to know.

Key Takeaways

•AWS maintains SOC 2, ISO 27001, HIPAA, PCI-DSS, FedRAMP, and GDPR certifications that you must understand when designing regulated solutions
•The shared responsibility model means AWS secures infrastructure while you must configure services, enable encryption, and implement access controls
•Encryption at rest with AWS KMS, encryption in transit with TLS/SSL, and automatic key rotation are foundational across all storage and database services
•CloudTrail audits API calls and user actions while Config tracks resource configurations and violations. Both are essential for comprehensive compliance verification
•Compliant architectures integrate IAM for access control, logging for audit trails, encryption for data protection, and network isolation using VPCs and security groups
•Multi-account strategies with AWS Organizations centralize logging and compliance management while isolating workloads by regulatory requirement or environment

Understanding AWS Compliance Programs and Certifications

AWS maintains compliance with numerous international standards and regulations organized into compliance programs. These programs demonstrate AWS's commitment to security and data protection.

Major AWS Compliance Programs

AWS supports compliance for multiple industries and regulatory frameworks:

SOC 1, SOC 2, SOC 3 for service organizations
ISO 27001 for information security management
ISO 27018 for cloud privacy
HIPAA for healthcare
PCI-DSS for payment card data
FedRAMP for federal government systems
GDPR for European data protection

Each program has specific requirements that affect your architecture decisions. For example, HIPAA compliance requires encryption in transit and at rest, access logging, and audit trails. This means selecting services like AWS KMS, CloudTrail, and VPC encryption.

Understanding Shared Responsibility

The shared responsibility model defines who manages what. AWS manages infrastructure-level compliance, securing data centers and services. You manage application-level compliance through configuration and service selection.

With managed services like DynamoDB, AWS handles more. With EC2, you handle more operating system and application security. The exam tests whether you understand this distinction and can design architectures accordingly.

Using AWS Compliance Resources

AWS provides the AWS Compliance Center with documentation, whitepapers, and attestations for each program. When studying, learn which services support specific requirements and how to combine them. Recognize shared responsibility boundaries for each service you use.

Encryption, Key Management, and Data Protection

Encryption is fundamental to every compliance strategy. It protects data from unauthorized access and appears throughout compliance requirements.

AWS KMS and Key Management

AWS KMS (Key Management Service) is the primary service for managing encryption keys. KMS provides:

Envelope encryption for large data objects
Automatic key rotation to meet compliance timelines
Key policies for controlling who uses which keys
CloudTrail integration for tracking key usage

KMS integrates with virtually every AWS storage and database service. You use KMS keys to encrypt S3, EBS, RDS, DynamoDB, and more. For regulated industries, KMS's HSM-backed keys provide additional assurance that encryption happens in hardware security modules.

Encryption in Transit and at Rest

Encryption in transit uses TLS/SSL protocols for data moving between systems. Encryption at rest uses AWS KMS keys or service-specific encryption options.

For S3, enable default encryption and use bucket policies to enforce it. For RDS databases, enable encryption with AWS KMS and require SSL/TLS connections. DynamoDB supports AWS KMS encryption. EBS volumes encrypt during creation. These services work together to create comprehensive encryption coverage.

Data Classification and Sensitive Data

Different data types require different protection levels:

Personally Identifiable Information (PII) like names and SSNs
Protected Health Information (PHI) in healthcare systems
Cardholder data in payment systems

Use AWS Macie to discover and classify sensitive data automatically. Design encryption and access control strategies based on data type. The exam expects you to balance security with performance and cost.

Audit, Logging, and Monitoring for Compliance

Compliance requires comprehensive logging and monitoring to prove systems operate according to regulations and to detect unauthorized activity.

CloudTrail for API Auditing

CloudTrail records API calls and user actions across AWS accounts. It shows who did what, when, and from where. CloudTrail logs are essential for forensics and compliance audits.

For compliance, configure CloudTrail to:

Log all regions simultaneously
Enable log file validation to prevent tampering
Store logs in an immutable S3 bucket with versioning enabled
Protect buckets with MFA delete protection

CloudTrail reveals unauthorized changes and suspicious access patterns that violate compliance.

AWS Config for Configuration Compliance

AWS Config continuously tracks resource configurations and checks compliance with rules. You can create rules that verify:

Encryption enablement on all buckets
Public access restrictions
Security group configurations

Config generates compliance reports showing which resources pass or fail your compliance rules. Use Config aggregators to track compliance across multiple accounts.

Additional Logging and Monitoring

Implement comprehensive logging across services:

VPC Flow Logs capture network traffic for detecting unauthorized access
GuardDuty uses machine learning to identify threats
CloudWatch Logs provide centralized log analysis and alerting
Access Logs on S3 and ELB create audit trails of who accessed what

Multi-account organizations typically implement centralized logging architectures where all logs flow to a dedicated logging account. This prevents tampering and ensures logs remain immutable. The exam tests your ability to design logging that satisfies audits without overwhelming teams with excessive data.

Identity and Access Management for Compliance

Identity and Access Management (IAM) is fundamental to compliance. Access controls prevent unauthorized users from accessing sensitive data or making unauthorized changes.

Principle of Least Privilege

Compliance requirements mandate the principle of least privilege. Users receive only the minimum permissions needed for their role. AWS IAM enables this through policies that specify actions, resources, and conditions.

Role-based access control using IAM roles is preferred over long-term access keys because:

Roles provide temporary credentials
Roles simplify permission management
Roles enable fine-grained audit trails

Resource-based policies on S3 buckets, KMS keys, and SQS queues provide additional access control layers.

Multi-Factor Authentication and Credential Protection

Multi-factor Authentication (MFA) is required by most compliance frameworks for privileged accounts. MFA protects against credential compromise.

MFA delete on S3 prevents accidental or malicious deletion of critical data. Require MFA for sensitive actions like creating new IAM users or deleting backups.

Centralized Identity Management

AWS SSO centralizes identity management across multiple AWS accounts and enforces MFA consistently. This meets compliance requirements for consistent access controls.

Conditional access policies restrict access based on IP ranges, requiring access from corporate networks or approved VPNs. AWS Systems Manager Session Manager provides audit trails of interactive sessions.

Separation of Duties

Compliance often requires separation of duties where no single person can perform sensitive actions like creating, approving, and implementing changes. Design IAM policies to enforce this segregation. Use Access Analyzer to identify unintended public or cross-account access to resources, detecting compliance violations.

Compliance Architecture Patterns and Design Strategies

Designing compliant AWS architectures requires integrating multiple services into cohesive patterns that satisfy regulatory requirements.

Isolated Workload Architecture

A common pattern for regulated industries is the isolated workload architecture. Sensitive applications run in:

Dedicated subnets or VPCs
Restricted network access using NACLs and security groups
Encrypted storage with monitored KMS usage
Comprehensive logging and audit trails

Network isolation using private subnets and egress filtering prevents data exfiltration by controlling outbound traffic.

Multi-Account Compliance Strategy

Multi-account strategies support compliance by isolating workloads by environment or regulatory requirement. Use AWS Organizations to manage policies consistently across accounts.

Typical account structure includes:

Dedicated security account for centralized logs
CloudTrail organization trails collecting logs from all accounts
Compliance account hosting Config aggregators

This structure prevents any single account compromise from affecting compliance across your organization.

Data Residency and Cross-Region Considerations

Data residency requirements in some regulations mandate that data remains in specific geographic regions. This influences your region selection and cross-region replication strategies.

Backup and disaster recovery must maintain encryption and access controls. Encrypt backups and restrict access to recovery resources. For healthcare or financial workloads, AWS Direct Connect may be required to meet compliance standards for network security.

Change Management and Infrastructure as Code

Compliance affects change management. Require approval workflows before production changes and maintain audit trails of changes.

Infrastructure as Code tools like CloudFormation or Terraform with approval gates support compliance requirements. Track who changed what through version control and CloudTrail logging.

The exam tests your ability to recommend patterns that achieve compliance while remaining cost-effective and operationally efficient.

Master AWS Compliance Concepts with Flashcards

Transform complex compliance frameworks, encryption services, and audit requirements into efficient study materials. Flashcards use spaced repetition and active recall to embed compliance knowledge into your long-term memory, ensuring you recognize compliance requirements and design appropriate solutions during the exam.

Create Free Flashcards

Frequently Asked Questions

What is the shared responsibility model in AWS compliance?

The shared responsibility model defines that AWS is responsible for infrastructure-level compliance, securing the cloud services, hardware, and facilities. You are responsible for compliance of your applications, data, and how you configure AWS services.

For example, AWS ensures its data centers meet compliance standards and that services like KMS function correctly. You must enable encryption, implement access controls, and maintain audit logs.

Understanding this distinction is critical for the exam. You cannot rely solely on AWS compliance certifications without implementing security measures on your side. Different services shift the responsibility line. With managed services like DynamoDB, AWS handles more infrastructure compliance. With EC2, you have more responsibility for the operating system and application security.

How does AWS KMS support compliance requirements?

AWS KMS provides centralized key management essential for encryption compliance. KMS creates and manages encryption keys that you control with key policies, restricting who uses keys and tracking usage through CloudTrail.

KMS supports automatic key rotation to meet compliance timelines for regular key changes. Create multi-region keys for disaster recovery while maintaining compliance across regions. KMS integrates with virtually every AWS storage service including S3, EBS, RDS, and DynamoDB, allowing you to enforce consistent encryption policies.

For regulated industries, KMS's HSM-based backing provides additional assurance that encryption keys are protected in hardware security modules. The exam expects you to design key management strategies, understand key policies, and recommend KMS solutions for compliance scenarios.

What are the key differences between AWS Config and CloudTrail for compliance?

CloudTrail records API calls and user actions, showing who did what and when. This creates an audit trail for forensics and compliance investigations.

AWS Config tracks resource configurations over time and checks compliance with desired states. It answers what resources exist and whether they meet compliance rules.

CloudTrail detects unauthorized changes and suspicious access patterns. Config detects configuration drift and resources violating compliance rules. For comprehensive compliance, use both services together. CloudTrail shows that someone created an unencrypted S3 bucket. Config identifies that the bucket violates your encryption compliance rule. The exam tests scenarios requiring both services and understanding what each reveals about your compliance posture.

How do you design a compliant data architecture for HIPAA or PCI-DSS?

HIPAA and PCI-DSS compliant architectures require encryption of Protected Health Information (PHI) and cardholder data both in transit and at rest using AWS KMS.

Network isolation is critical for keeping sensitive data in private subnets without internet access. Implement these additional controls:

Multi-factor authentication for privileged access
Comprehensive logging through CloudTrail, Config, and VPC Flow Logs
Least privilege access using IAM roles and policies
Encrypted backups and disaster recovery
Regular security assessments using Inspector

The exam expects you to design end-to-end architectures incorporating these elements appropriately for the regulated data type and compliance framework.

Why are flashcards effective for studying AWS compliance concepts?

AWS compliance involves numerous services, acronyms, regulatory frameworks, and decision points that benefit from spaced repetition and active recall, where flashcards excel.

Compliance includes facts like which services support encryption, definitions of compliance programs, and decision trees for architecture scenarios. Flashcards break complex topics into manageable pieces, allowing you to master compliance frameworks separately from encryption services and logging.

Active recall testing through flashcard practice strengthens memory far more effectively than passive reading. The compliance domain appears throughout the Solutions Architect exam. Flashcard practice ensures compliance concepts become automatic rather than requiring conscious effort during the exam. Flashcards help you recognize when scenarios require specific compliance considerations, improving your ability to identify incomplete architecture designs.