Compliance & Governance
Chapter 30: Compliance, Auditing & Governance
Section titled “Chapter 30: Compliance, Auditing & Governance”AWS Governance & Compliance Services
Section titled “AWS Governance & Compliance Services”30.1 Overview
Section titled “30.1 Overview”AWS provides comprehensive services for compliance management, auditing, and governance to help organizations meet regulatory requirements and maintain security standards.
AWS Compliance & Governance Overview+------------------------------------------------------------------+| || +------------------------+ || | Compliance & | || | Governance | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | AWS | | AWS | | AWS | || | Audit | | Artifact | | Config | || | Manager | | | | | || | | | - Audit | | - Track | || | - Automate| | Reports| | Config | || | - Evidence| | - Comply | | - Rules | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Service Comparison
Section titled “Service Comparison”| Feature | Audit Manager | Artifact | Config | CloudTrail |
|---|---|---|---|---|
| Primary Use | Audit automation | Compliance reports | Config tracking | API auditing |
| Automation | High | Low | Medium | Low |
| Evidence Collection | Yes | Yes | Yes | Yes |
| Compliance Frameworks | Multiple | Built-in | Custom | N/A |
| Pricing | Per assessment | Free | Per rule | Free/Paid |
30.2 AWS Audit Manager
Section titled “30.2 AWS Audit Manager”Audit Manager Overview
Section titled “Audit Manager Overview” AWS Audit Manager Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Audit Manager | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Frameworks| | Controls | | Evidence | || | | | | | | || | - Prebuilt| | - Custom | | - Auto | || | - Custom | | - Managed| | Collect| || | - Import | | - Inherit| | - Manual | || +----------+ +----------+ +----------+ || | | | || v v v || +----------------------------------------------------------+ || | Assessments | || | - Compliance status | || | - Evidence reports | || | - Remediation tracking | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Prebuilt Frameworks
Section titled “Prebuilt Frameworks” Audit Manager Prebuilt Frameworks+------------------------------------------------------------------+| || Compliance Frameworks || +------------------------------------------------------------+ || | | || | - CIS AWS Foundations Benchmark v1.4 | || | - CIS AWS Foundations Benchmark v1.5 | || | - PCI DSS v3.2.1 | || | - PCI DSS v4.0 | || | - NIST SP 800-53 Rev. 5 | || | - SOC 2 | || | - HIPAA | || | - GDPR | || | - ISO 27001 | || | - FedRAMP | || | - AWS Well-Architected Framework | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Control Types
Section titled “Control Types” Audit Manager Control Types+------------------------------------------------------------------+| || Automated Controls || +------------------------------------------------------------+ || | | || | Data Sources: | || | +------------------------------------------------------+ | || | | - AWS Config | | || | | - AWS Security Hub | | || | | - AWS CloudTrail | | || | | - Amazon S3 | | || | | - AWS IAM | | || | +------------------------------------------------------+ | || | | || | Evidence Collection: | || | +------------------------------------------------------+ | || | | - Automatic data gathering | | || | | - Continuous monitoring | | || | | - Real-time updates | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Manual Controls || +------------------------------------------------------------+ || | | || | Evidence Types: | || | +------------------------------------------------------+ | || | | - Document uploads | | || | | - Screenshots | | || | | - Text descriptions | | || | | - External links | | || | +------------------------------------------------------+ | || | | || | Use Cases: | || | +------------------------------------------------------+ | || | | - Policy attestations | | || | | - Process documentation | | || | | - Third-party certifications | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Assessment Workflow
Section titled “Assessment Workflow” Audit Manager Assessment Workflow+------------------------------------------------------------------+| || 1. Create Assessment || +------------------------------------------------------------+ || | - Select framework | || | - Define scope (accounts, regions) | || | - Set assessment period | || +------------------------------------------------------------+ || | || v || 2. Collect Evidence || +------------------------------------------------------------+ || | - Automated collection from data sources | || | - Manual evidence upload | || | - Continuous updates | || +------------------------------------------------------------+ || | || v || 3. Review Findings || +------------------------------------------------------------+ || | - Analyze compliance status | || | - Identify gaps | || | - Document exceptions | || +------------------------------------------------------------+ || | || v || 4. Generate Report || +------------------------------------------------------------+ || | - Create assessment report | || | - Export to stakeholders | || | - Archive for audit trail | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Audit Manager CLI Commands
Section titled “Audit Manager CLI Commands”# Create assessmentaws auditmanager create-assessment \ --name "My Compliance Assessment" \ --description "Annual compliance review" \ --assessment-reports-destination '{"destinationType":"S3","destination":"s3://my-bucket/reports"}' \ --scope '{"awsAccounts":[{"id":"123456789012"}],"awsServices":[]}' \ --roles '{"roleType":"PROCESS_OWNER","roleArn":"arn:aws:iam::..."}'
# List assessmentsaws auditmanager list-assessments
# Get assessmentaws auditmanager get-assessment \ --assessment-id "abc-123"
# Create controlaws auditmanager create-control \ --name "My Control" \ --description "Custom security control" \ --testingInstructions "Verify encryption is enabled" \ --control-mapping-sources '[{"sourceId":"aws-config","sourceSetUpOption":"System_Controls","sourceKeyword":{"keywordInputType":"SELECT_FROM_LIST","keywordValue":"S3_BUCKET_ENCRYPTION_ENABLED"}}]'
# List controlsaws auditmanager list-controls \ --control-type "Custom"
# Get evidenceaws auditmanager get-evidence \ --assessment-id "abc-123" \ --evidence-folder-id "folder-123" \ --evidence-id "evidence-123"
# Create assessment reportaws auditmanager create-assessment-report \ --assessment-id "abc-123" \ --name "Q1 Compliance Report"30.3 AWS Artifact
Section titled “30.3 AWS Artifact”Artifact Overview
Section titled “Artifact Overview” AWS Artifact Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Artifact | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Audit | | Compliance| | Agreements| || | Reports | | Reports | | | || | | | | | | || | - SOC | | - ISO | | - BAA | || | - PCI | | - FedRAMP | | - DPA | || | - Other | | - Others | | - Others | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Available Reports
Section titled “Available Reports” AWS Artifact Reports+------------------------------------------------------------------+| || Audit Reports || +------------------------------------------------------------+ || | | || | SOC Reports: | || | +------------------------------------------------------+ | || | | - SOC 1 Type II (SSAE 18) | | || | | - SOC 2 Type II | | || | | - SOC 3 | | || | +------------------------------------------------------+ | || | | || | PCI DSS: | || | +------------------------------------------------------+ | || | | - PCI DSS Attestation of Compliance (AOC) | | || | | - PCI DSS Report on Compliance (ROC) | | || | +------------------------------------------------------+ | || | | || | ISO Certifications: | || | +------------------------------------------------------+ | || | | - ISO 27001 | | || | | - ISO 27017 (Cloud Security) | | || | | - ISO 27018 (Privacy) | | || | | - ISO 9001 (Quality) | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Government Certifications || +------------------------------------------------------------+ || | - FedRAMP (Federal Risk and Authorization Management) | || | - DoD SRG (Department of Defense) | || | - IRAP (Australian Government) | || | - MTCS (Singapore Government) | || | - C5 (German Government) | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Agreement Types
Section titled “Agreement Types” AWS Artifact Agreements+------------------------------------------------------------------+| || Business Associate Agreement (BAA) || +------------------------------------------------------------+ || | - Required for HIPAA compliance | || | - Covers protected health information (PHI) | || | - Must be accepted before processing PHI | || +------------------------------------------------------------+ || || Data Processing Agreement (DPA) || +------------------------------------------------------------+ || | - GDPR compliance | || | - Data processing terms | || | - EU data protection requirements | || +------------------------------------------------------------+ || || Service Terms || +------------------------------------------------------------+ || | - Service-specific terms | || | - Usage restrictions | || | - Compliance requirements | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+30.4 AWS Config
Section titled “30.4 AWS Config”Config Overview
Section titled “Config Overview” AWS Config Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Config | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Config | | Config | | Config | || | Recorder | | Rules | | Aggregator || | | | | | | || | - Record | | - Managed| | - Multi | || | Changes| | - Custom | | Account| || | - Track | | - Remediate| | - Central| || +----------+ +----------+ +----------+ || | | | || v v v || +----------------------------------------------------------+ || | Configuration Items | || | - Resource history | || | - Relationships | || | - Compliance status | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Config Rules
Section titled “Config Rules” AWS Config Rules+------------------------------------------------------------------+| || Managed Rules (AWS Provided) || +------------------------------------------------------------+ || | | || | Security Rules: | || | +------------------------------------------------------+ | || | | - S3_BUCKET_ENCRYPTION_ENABLED | | || | | - S3_BUCKET_PUBLIC_READ_PROHIBITED | | || | | - EBS_ENCRYPTION_ENABLED | | || | | - RDS_ENCRYPTION_ENABLED | | || | | - IAM_PASSWORD_POLICY | | || | | - ROOT_ACCOUNT_MFA_ENABLED | | || | +------------------------------------------------------+ | || | | || | Network Rules: | || | +------------------------------------------------------+ | || | | - VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS | | || | | - INCOMING_SSH_DISABLED | | || | | - RESTRICTED_INCOMING_TRAFFIC | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Custom Rules (Lambda-based) || +------------------------------------------------------------+ || | | || | Use Cases: | || | +------------------------------------------------------+ | || | | - Organization-specific requirements | | || | | - Complex compliance checks | | || | | - Cross-resource validation | | || | +------------------------------------------------------+ | || | | || | Example: | || | +------------------------------------------------------+ | || | | - Check if all EC2 instances have required tags | | || | | - Validate security group naming conventions | | || | | - Ensure specific IAM policies are attached | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Config Remediation
Section titled “Config Remediation” AWS Config Remediation+------------------------------------------------------------------+| || Automatic Remediation || +------------------------------------------------------------+ || | | || | Workflow: | || | +------------------------------------------------------+ | || | | 1. Config rule detects non-compliance | | || | | 2. Remediation action triggered | | || | | 3. SSM Automation document executes | | || | | 4. Resource remediated | | || | | 5. Config re-evaluates rule | | || | +------------------------------------------------------+ | || | | || | Built-in Remediation Actions: | || | +------------------------------------------------------+ | || | | - AWS-EnableS3BucketEncryption | | || | | - AWS-DisableS3BucketPublicRead | | || | | - AWS-EnableEBSVolumeEncryption | | || | | - AWS-AttachIAMPolicy | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Manual Remediation || +------------------------------------------------------------+ || | - Notification via SNS | || | - Manual review and action | || | - Documentation of remediation | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Config CLI Commands
Section titled “Config CLI Commands”# Start configuration recorderaws configservice start-configuration-recorder \ --configuration-recorder-name default
# Put configuration recorderaws configservice put-configuration-recorder \ --configuration-recorder '{"name":"default","roleARN":"arn:aws:iam::...","recordingGroup":{"allSupported":true,"includeGlobalResourceTypes":true}}'
# Put delivery channelaws configservice put-delivery-channel \ --delivery-channel '{"name":"default","s3BucketName":"my-config-bucket","snsTopicARN":"arn:aws:sns:..."}'
# List config rulesaws configservice describe-config-rules
# Get compliance detailsaws configservice get-compliance-details-by-config-rule \ --config-rule-name "S3_BUCKET_ENCRYPTION_ENABLED"
# Get resource config historyaws configservice get-resource-config-history \ --resource-type AWS::EC2::Instance \ --resource-id i-1234567890abcdef0
# Put config ruleaws configservice put-config-rule \ --config-rule '{"ConfigRuleName":"MyRule","Source":{"Owner":"AWS","SourceIdentifier":"S3_BUCKET_ENCRYPTION_ENABLED"}}'
# Put remediation configurationaws configservice put-remediation-configurations \ --remediation-configurations '{"ConfigRuleName":"S3_BUCKET_ENCRYPTION_ENABLED","TargetId":"AWS-EnableS3BucketEncryption","TargetType":"SSM_DOCUMENT","Parameters":{"AutomationAssumeRole":{"StaticValue":{"Values":["arn:aws:iam::..."]}},"BucketName":{"ResourceValue":{"Value":"RESOURCE_ID"}}}}}'
# Select aggregate resourcesaws configservice select-aggregate-resource-config \ --expression "SELECT resourceId, resourceName, resourceType WHERE resourceType = 'AWS::EC2::Instance'" \ --configuration-aggregator-name my-aggregator30.5 AWS CloudTrail
Section titled “30.5 AWS CloudTrail”CloudTrail Overview
Section titled “CloudTrail Overview” AWS CloudTrail Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS CloudTrail | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Management| | Data | | Insights | || | Events | | Events | | | || | | | | | | || | - Control | | - S3 | | - Anomaly| || | Plane | | - Lambda | | - Detect | || | - API | | - DynamoDB| | - Alert | || | Calls | | | | | || +----------+ +----------+ +----------+ || | | | || v v v || +----------------------------------------------------------+ || | S3 Bucket (Log Storage) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+CloudTrail Event Types
Section titled “CloudTrail Event Types” CloudTrail Event Types+------------------------------------------------------------------+| || Management Events || +------------------------------------------------------------+ || | | || | Control Plane Operations: | || | +------------------------------------------------------+ | || | | - Creating/deleting resources | | || | | - Modifying configurations | | || | | - IAM operations | | || | | - Security group changes | | || | +------------------------------------------------------+ | || | | || | Examples: | || | +------------------------------------------------------+ | || | | - EC2: RunInstances, TerminateInstances | | || | | - S3: CreateBucket, DeleteBucket | | || | | - IAM: CreateUser, AttachRolePolicy | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Data Events || +------------------------------------------------------------+ || | | || | Data Plane Operations: | || | +------------------------------------------------------+ | || | | - S3 object-level operations | | || | | - Lambda function invocations | | || | | - DynamoDB table operations | | || | +------------------------------------------------------+ | || | | || | Examples: | || | +------------------------------------------------------+ | || | | - S3: GetObject, PutObject, DeleteObject | | || | | - Lambda: Invoke | | || | | - DynamoDB: GetItem, PutItem | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Insights Events || +------------------------------------------------------------+ || | | || | Anomaly Detection: | || | +------------------------------------------------------+ | || | | - Unusual API call volume | | || | | - Suspicious activity patterns | | || | | - Potential security issues | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+CloudTrail Log Structure
Section titled “CloudTrail Log Structure” CloudTrail Log Structure+------------------------------------------------------------------+| || { || "Records": [{ || "eventVersion": "1.08", || "userIdentity": { || "type": "IAMUser", || "principalId": "AIDACKCEVSQ6C2EXAMPLE", || "arn": "arn:aws:iam::123456789012:user/alice", || "accountId": "123456789012", || "accessKeyId": "AKIAIOSFODNN7EXAMPLE", || "userName": "alice" || }, || "eventTime": "2024-01-15T12:00:00Z", || "eventSource": "ec2.amazonaws.com", || "eventName": "StartInstances", || "awsRegion": "us-east-1", || "sourceIPAddress": "192.0.2.1", || "userAgent": "aws-cli/2.0.0", || "requestParameters": { || "instancesSet": { || "items": [{"instanceId": "i-1234567890abcdef0"}] || } || }, || "responseElements": { || "instancesSet": { || "items": [{ || "instanceId": "i-1234567890abcdef0", || "currentState": {"code": 0, "name": "pending"}, || "previousState": {"code": 80, "name": "stopped"} || }] || } || }, || "resources": [{ || "ARN": "arn:aws:ec2:us-east-1:123456789012:instance/...", || "type": "AWS::EC2::Instance" || }], || "eventType": "AwsApiCall", || "recipientAccountId": "123456789012" || }] || } || |+------------------------------------------------------------------+CloudTrail CLI Commands
Section titled “CloudTrail CLI Commands”# Create trailaws cloudtrail create-trail \ --name my-trail \ --s3-bucket-name my-cloudtrail-logs \ --include-global-service-events \ --is-multi-region-trail
# Start loggingaws cloudtrail start-logging \ --name my-trail
# Get trail statusaws cloudtrail get-trail-status \ --name my-trail
# List trailsaws cloudtrail describe-trails
# Get event selectorsaws cloudtrail get-event-selectors \ --trail-name my-trail
# Put event selectors (for data events)aws cloudtrail put-event-selectors \ --trail-name my-trail \ --event-selectors '[{"ReadWriteType":"All","IncludeManagementEvents":true,"DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3:::my-bucket/"]}]}]'
# Look up eventsaws cloudtrail lookup-events \ --lookup-attributes AttributeKey=Username,AttributeValue=alice \ --start-time 2024-01-01T00:00:00Z \ --end-time 2024-01-31T23:59:59Z
# Enable insightsaws cloudtrail put-insight-selectors \ --trail-name my-trail \ --insight-selectors '[{"InsightType":"ApiCallRateInsight"}]'30.6 Additional Governance Services
Section titled “30.6 Additional Governance Services”AWS Trusted Advisor
Section titled “AWS Trusted Advisor” AWS Trusted Advisor Categories+------------------------------------------------------------------+| || Cost Optimization || +------------------------------------------------------------+ || | - Idle resources | || | - Unassociated Elastic IP addresses | || | - Underutilized EBS volumes | || | - Reserved Instance recommendations | || +------------------------------------------------------------+ || || Security || +------------------------------------------------------------+ || | - MFA on root account | || | - Security group settings | || | - IAM password policy | || | - SSL certificate expiration | || +------------------------------------------------------------+ || || Fault Tolerance || +------------------------------------------------------------+ || | - Auto Scaling health checks | || | - Multi-AZ RDS deployments | || | - Load balancer health checks | || | - VPC VPN tunnel redundancy | || +------------------------------------------------------------+ || || Performance || +------------------------------------------------------------+ || | - High utilization EC2 instances | || | - EBS volume performance | || | - CloudFront optimization | || +------------------------------------------------------------+ || || Service Limits || +------------------------------------------------------------+ || | - Resource limit monitoring | || | - Usage percentage alerts | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+AWS Well-Architected Tool
Section titled “AWS Well-Architected Tool” AWS Well-Architected Tool+------------------------------------------------------------------+| || Pillars || +------------------------------------------------------------+ || | | || | 1. Operational Excellence | || | - Run and monitor systems | || | - Continuous improvement | || | | || | 2. Security | || | - Protect data and systems | || | - Risk assessment | || | | || | 3. Reliability | || | - Recovery from failures | || | - Mitigate disruptions | || | | || | 4. Performance Efficiency | || | - Efficient resource utilization | || | - Scalability | || | | || | 5. Cost Optimization | || | - Avoid unnecessary costs | || | - Resource optimization | || | | || | 6. Sustainability | || | - Environmental impact | || | - Resource efficiency | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+30.7 Compliance Best Practices
Section titled “30.7 Compliance Best Practices”Multi-Account Compliance
Section titled “Multi-Account Compliance” Multi-Account Compliance Strategy+------------------------------------------------------------------+| || Organization-Level Controls || +------------------------------------------------------------+ || | | || | +------------------+ +------------------+ | || | | AWS Config | | Security Hub | | || | | Aggregator | | Aggregator | | || | +------------------+ +------------------+ | || | | | | || | +-----------+-----------+ | || | | | || | v | || | +--------------------------------------------------------+ | || | | Management Account | | || | | - Central compliance dashboard | | || | | - Cross-account reporting | | || | | - Organization-wide policies | | || | +--------------------------------------------------------+ | || | | | || | +---------------+---------------+ | || | | | | | || | v v v | || | +--------+ +--------+ +--------+ | || | | Prod | | Dev | | Security| | || | | Account| | Account| | Account| | || | +--------+ +--------+ +--------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Compliance Checklist
Section titled “Compliance Checklist” Compliance Implementation Checklist+------------------------------------------------------------------+| || Logging & Monitoring || +------------------------------------------------------------+ || | [ ] CloudTrail enabled in all regions | || | [ ] CloudTrail data events for sensitive resources | || | [ ] CloudTrail logs encrypted and validated | || | [ ] Config enabled for all resources | || | [ ] CloudWatch alarms for security events | || +------------------------------------------------------------+ || || Access Control || +------------------------------------------------------------+ || | [ ] MFA enabled for all IAM users | || | [ ] Root account MFA enabled | || | [ ] Root account access keys removed | || | [ ] IAM password policy enforced | || | [ ] Least privilege access implemented | || +------------------------------------------------------------+ || || Data Protection || +------------------------------------------------------------+ || | [ ] S3 bucket encryption enabled | || | [ ] EBS volume encryption enabled | || | [ ] RDS encryption enabled | || | [ ] KMS keys rotated | || | [ ] Secrets encrypted in transit and at rest | || +------------------------------------------------------------+ || || Network Security || +------------------------------------------------------------+ || | [ ] VPC flow logs enabled | || | [ ] Security groups restricted | || | [ ] Network ACLs configured | || | [ ] WAF enabled for web applications | || | [ ] Shield Advanced for critical apps | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+30.8 Why This Matters in DevOps/SRE
Section titled “30.8 Why This Matters in DevOps/SRE”Compliance is not optional — it’s a business requirement. SREs build compliance-as-code: automated evidence collection, continuous configuration monitoring, and proactive remediation. Understanding Config rules, CloudTrail analysis, and Audit Manager assessments is essential for passing audits efficiently and maintaining continuous compliance.
30.9 Linux Systems Perspective
Section titled “30.9 Linux Systems Perspective”Compliance Operations from Arch Linux
Section titled “Compliance Operations from Arch Linux”# Install toolssudo pacman -S aws-cli-v2 jq
# === Compliance Dashboard ===#!/bin/bash# ~/bin/compliance-status.shecho "=== AWS Config Compliance Summary ==="aws configservice get-compliance-summary-by-config-rule \ --output table
echo ""echo "=== Non-Compliant Rules ==="aws configservice describe-compliance-by-config-rule \ --compliance-types NON_COMPLIANT \ --query 'ComplianceByConfigRules[*].{Rule:ConfigRuleName,Status:Compliance.ComplianceType}' \ --output table
echo ""echo "=== CloudTrail Status ==="for TRAIL in $(aws cloudtrail describe-trails --query 'trailList[*].Name' --output text); do STATUS=$(aws cloudtrail get-trail-status --name "$TRAIL" \ --query '{Logging:IsLogging,LastDelivery:LatestDeliveryTime}' --output json) echo "$TRAIL: $STATUS"done
# === CloudTrail forensics — who did what? ===#!/bin/bash# ~/bin/who-did-what.sh <username> <hours-ago>USER="$1"HOURS="${2:-24}"START=$(date -d "${HOURS} hours ago" -u +%Y-%m-%dT%H:%M:%SZ)
aws cloudtrail lookup-events \ --lookup-attributes AttributeKey=Username,AttributeValue="$USER" \ --start-time "$START" \ --query 'Events[*].{Time:EventTime,Event:EventName,Source:EventSource}' \ --output table
# === Config rule compliance report ===#!/bin/bash# ~/bin/compliance-report.shecho "Compliance Report - $(date)" > /tmp/compliance-report.txtecho "================================" >> /tmp/compliance-report.txt
for RULE in $(aws configservice describe-config-rules \ --query 'ConfigRules[*].ConfigRuleName' --output text); do COUNT=$(aws configservice get-compliance-details-by-config-rule \ --config-rule-name "$RULE" --compliance-types NON_COMPLIANT \ --query 'EvaluationResults | length(@)' --output text) echo "$RULE: $COUNT non-compliant resources" >> /tmp/compliance-report.txtdone
cat /tmp/compliance-report.txt30.10 Common Mistakes & Anti-Patterns
Section titled “30.10 Common Mistakes & Anti-Patterns” Anti-Pattern Best Practice ───────────────────────────────────────────────────────────── ❌ CloudTrail in single region ✅ Multi-region trail with org-wide logging ❌ Config not recording all ✅ Record all resource types resource types with global resources ❌ Manual compliance evidence ✅ Use Audit Manager for automated evidence collection ❌ No log file validation ✅ Enable CloudTrail log file integrity validation ❌ Reactive compliance only ✅ Config auto-remediation for continuous compliance30.11 Interview Questions
Section titled “30.11 Interview Questions”-
Q: How would you design a compliance monitoring system for a multi-account AWS environment?
- A: (1) Organization-wide CloudTrail with trail in management account → S3 bucket in Log Archive account, (2) AWS Config aggregator in Security account collecting from all member accounts, (3) Config rules for each compliance requirement (encryption, public access, tagging), (4) Auto-remediation via SSM Automation for critical violations, (5) Security Hub aggregating findings cross-account, (6) Audit Manager with CIS/PCI frameworks for audit readiness, (7) Dashboard via CloudWatch or QuickSight for executive reporting.
-
Q: CloudTrail management events vs data events — when do you enable data events?
- A: Management events are always on (API calls like CreateBucket, RunInstances). Data events are for object-level operations (GetObject, PutItem) — higher volume and cost. Enable data events selectively for: (1) S3 buckets with sensitive data (PII, PHI, financial), (2) Lambda functions handling critical business logic, (3) DynamoDB tables with audit requirements. Use advanced event selectors to filter by read/write type and specific resources to control costs.
30.12 Exam Tips
Section titled “30.12 Exam Tips”
Key Exam Points+------------------------------------------------------------------+| || 1. Audit Manager automates evidence collection for audits || || 2. Artifact provides compliance reports (SOC, PCI, ISO, etc.) || || 3. Config tracks resource configuration changes || || 4. Config rules can be managed or custom (Lambda) || || 5. Config remediation uses SSM Automation documents || || 6. CloudTrail logs API calls (management and data events) || || 7. CloudTrail Insights detects anomalous API activity || || 8. Trusted Advisor provides optimization recommendations || || 9. Well-Architected Tool has 6 pillars || || 10. Config aggregator enables multi-account compliance || |+------------------------------------------------------------------+30.13 Summary
Section titled “30.13 Summary” Chapter 30 Summary+------------------------------------------------------------------+| || AWS Audit Manager || +------------------------------------------------------------+ || | - Automated audit evidence collection | || | - Prebuilt compliance frameworks | || | - Custom controls and assessments | || | - Assessment reports | || +------------------------------------------------------------+ || || AWS Artifact || +------------------------------------------------------------+ || | - Compliance reports (SOC, PCI, ISO) | || | - Agreements (BAA, DPA) | || | - Self-service access | || +------------------------------------------------------------+ || || AWS Config || +------------------------------------------------------------+ || | - Resource configuration tracking | || | - Compliance rules | || | - Automated remediation | || | - Multi-account aggregation | || +------------------------------------------------------------+ || || AWS CloudTrail || +------------------------------------------------------------+ || | - API call logging | || | - Management and data events | || | - Insights for anomaly detection | || | - Cross-account trails | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Previous Chapter: Chapter 29: AWS Security Hub & Detective Next Part: Part 7: DevOps & Developer Tools
Last Updated: March 2026