SaveMyCert
Log in
5 of 5 free questions left today·for unlimited practice
Security and Compliance

AWS Security, Governance, and Compliance Concepts for CLF-C02

15 min readCLF-C02 · Security and ComplianceUpdated

AWS compliance questions on the CLF-C02 exam come down to matching a need to a service: download a PCI or SOC report (AWS Artifact), detect threats from account activity (Amazon GuardDuty), scan workloads for vulnerabilities (Amazon Inspector), aggregate findings into one dashboard (AWS Security Hub), absorb DDoS attacks (AWS Shield), record every API call (AWS CloudTrail), track resource configuration changes (AWS Config), monitor performance (Amazon CloudWatch), and automate audit evidence collection (AWS Audit Manager). This lesson covers the full Task 2.2 scope: where compliance information lives, why requirements differ across geographies and industries, encryption at rest versus in transit, where security logs are captured and stored, and how the governance services divide the work. You will finish able to separate the classic exam traps — GuardDuty vs Inspector, CloudTrail vs CloudWatch vs Config, and Audit Manager vs Artifact — with confidence.

What you’ll learn
  • Identify AWS Artifact as the self-service portal for AWS compliance reports and agreements
  • Explain why compliance requirements vary by geography, industry, and individual AWS service
  • Distinguish encryption at rest from encryption in transit and name the services behind each
  • Locate the main AWS security logs (CloudTrail, VPC Flow Logs, S3 access logs) and where they are stored
  • Match Amazon Inspector, AWS Security Hub, Amazon GuardDuty, and AWS Shield to the security need each addresses
  • Differentiate CloudWatch, CloudTrail, AWS Config, and AWS Audit Manager by the governance question each answers

Where compliance information lives: AWS Artifact

When an auditor, regulator, or customer asks you to prove that AWS infrastructure meets a compliance standard, you do not open a support ticket or email an account manager. You open AWS Artifact — the self-service, no-cost portal in the AWS Management Console where AWS publishes its own compliance documentation. Artifact has two parts. Artifact Reports gives you on-demand downloads of third-party audit reports covering AWS itself, such as SOC 1, SOC 2, and SOC 3 reports, PCI DSS attestations, and ISO 27001 certifications. Artifact Agreements lets you review, accept, and manage legal agreements with AWS, such as the Business Associate Addendum (BAA) that organizations handling US healthcare data must have in place before processing protected health information on AWS.

The key mental model: Artifact contains AWS's compliance evidence, not yours. It proves that the cloud provider's side of the infrastructure has been audited. Demonstrating that your workloads are compliant is your job, and different services (covered later in this lesson) help you do it.

Beyond Artifact, AWS publishes public compliance information on its compliance programs pages, which list every assurance program AWS participates in and which services are in scope for each. For the exam, though, the trigger is simple: any question that mentions "download compliance reports," "SOC report," "PCI attestation," or "agreements with AWS" points at AWS Artifact. It requires no configuration, no infrastructure, and no charge — it is a document portal, not a monitoring tool.

Compliance varies by geography, industry, and service

There is no single global compliance checklist. The rules your workload must satisfy depend on where you operate, what industry you are in, and which AWS services you use — and CLF-C02 expects you to recognize all three dimensions.

Geography. Many jurisdictions impose data residency or data protection rules that dictate where personal data may be stored and processed. The European Union's GDPR is the best-known example of a regional data protection regime; other countries have their own residency laws. AWS supports these needs through its Region model: data you place in a Region stays in that Region unless you deliberately move it, so you can choose Regions that satisfy residency requirements. Some markets go further with dedicated infrastructure — for example, AWS GovCloud (US) serves US government workloads with stricter access controls.

Industry. Regulated industries add their own frameworks: healthcare organizations in the US work under HIPAA, payment-card processors must meet PCI DSS, and public-sector workloads may require FedRAMP authorization. Your industry determines which reports you will pull from Artifact and which controls you must implement yourself.

Service. Compliance also varies among AWS services. Not every service is in scope for every program — AWS maintains "services in scope" lists per compliance program, and a HIPAA-eligible architecture must use only HIPAA-eligible services for protected data. On the exam, if a question asks why two customers have different compliance obligations, the answer almost always involves their location, their industry, or the specific services they chose — not the size of their AWS bill.

Encryption at rest vs encryption in transit

Encryption is the exam's favorite example of a cloud security benefit, and CLF-C02 tests it as a classification exercise: given a scenario, decide whether it describes encryption at rest or encryption in transit.

Encryption at rest protects data that is stored — sitting on a disk, in an object store, or in a database. If someone obtained the underlying storage media, the data would be unreadable without the keys. On AWS, at-rest encryption is delivered through deep integration with AWS Key Management Service (KMS): Amazon S3 buckets, Amazon EBS volumes, Amazon RDS databases, and DynamoDB tables can all encrypt stored data with KMS-managed keys, often enabled with a single setting. For hardware-backed, single-tenant key storage that meets stringent regulatory requirements, AWS CloudHSM provides dedicated hardware security modules.

Encryption in transit protects data while it moves — between a client and an AWS endpoint, between services, or between Regions. The standard mechanism is TLS (the protocol behind HTTPS). AWS Certificate Manager (ACM) provisions and automatically renews the TLS certificates that services like Elastic Load Balancing and Amazon CloudFront use to terminate encrypted connections. AWS service API endpoints themselves accept TLS connections, so calls to AWS are encrypted on the wire.

The classification rule is mechanical: stored data (S3 object, EBS snapshot, database backup) is at rest and pairs with KMS; moving data (user to website, application to API) is in transit and pairs with TLS/ACM/HTTPS. A well-secured workload uses both — they are complementary, not alternatives.

Where security logs are captured and stored

Task 2.2 explicitly asks where to capture and locate cloud security logs. Know the main log sources, what each records, and where the log data ends up.

  • AWS CloudTrail logs record API activity across your account — every console action, CLI command, and SDK call. CloudTrail events are viewable in the CloudTrail console (recent event history) and, when you create a trail, delivered durably to an Amazon S3 bucket, optionally also to CloudWatch Logs for alerting.
  • VPC Flow Logs capture metadata about network traffic to and from network interfaces in your VPC — source, destination, ports, and whether traffic was accepted or rejected. Flow logs publish to CloudWatch Logs or Amazon S3.
  • Amazon S3 server access logs record requests made to an S3 bucket — who requested which object and when. They are delivered to another S3 bucket you designate.
  • Amazon CloudWatch Logs is the general-purpose log aggregation service: applications, AWS services, and the logs above can stream into it for search, retention, metric filters, and alarms.

Notice the pattern: Amazon S3 and CloudWatch Logs are the two destinations where security log data typically lands. S3 provides cheap, durable long-term retention (auditors love an immutable archive); CloudWatch Logs provides live analysis and alerting. This pattern also explains how detection works downstream: Amazon GuardDuty, covered next, analyzes CloudTrail events, VPC Flow Logs, and DNS query logs as its raw material for finding threats. Logging is the foundation — without captured logs there is nothing to monitor, audit, or investigate.

Securing resources: GuardDuty, Inspector, Security Hub, and Shield

Four services carry most of the "how do customers secure resources on AWS" weight in this task. Each answers a different question, and the exam tests whether you can keep them apart.

Amazon GuardDuty — intelligent threat detection. GuardDuty continuously analyzes account and network activity — CloudTrail events, VPC Flow Logs, and DNS query logs — using machine learning and threat intelligence to detect active threats: compromised credentials, an EC2 instance communicating with a known malicious IP, cryptocurrency-mining behavior, or unusual API calls. You enable it with a few clicks; there are no agents to install and nothing to deploy. Trigger phrases: "threat detection," "malicious activity," "compromised account," "analyzes logs."

Amazon Inspector — automated vulnerability management. Inspector scans your workloads — EC2 instances, container images in Amazon ECR, and Lambda functions — for software vulnerabilities (known CVEs) and unintended network exposure, then prioritizes findings by risk. Where GuardDuty watches for attacks happening now, Inspector finds the weaknesses an attacker could exploit later. Trigger phrases: "vulnerability scanning," "CVEs," "assess EC2 instances," "unintended network exposure."

AWS Security Hub — the aggregator. Security Hub does not detect anything by itself. It collects findings from GuardDuty, Inspector, Amazon Macie, and partner tools into a single dashboard, runs automated checks against security best-practice standards, and gives you one consolidated view of your security posture across accounts. Trigger phrases: "single pane of glass," "aggregate security findings," "security posture dashboard."

AWS Shield — DDoS protection. Shield defends against distributed denial-of-service attacks. Shield Standard is automatic and free for every AWS customer, protecting against the most common network- and transport-layer attacks. Shield Advanced is a paid tier adding protection against larger, more sophisticated attacks, near-real-time attack visibility, cost protection for scaling caused by an attack, and access to the AWS Shield Response Team. Trigger phrase: "DDoS." (Layer-7 request filtering belongs to AWS WAF, a Task 2.4 topic.)

Governance and auditing: CloudWatch, CloudTrail, Config, and Audit Manager

Governance services answer accountability questions rather than attack questions. Four services matter here, and each owns a distinct question.

Amazon CloudWatch — "how is it performing?" CloudWatch is the monitoring and observability service: it collects metrics (CPU utilization, request counts, latency), stores logs (CloudWatch Logs), and fires alarms that notify you or trigger automated actions when a threshold is crossed. CloudWatch tells you about the health and performance of resources — it does not tell you who changed them.

AWS CloudTrail — "who did what, when, and from where?" CloudTrail records API calls and account activity as events: the identity that made the call, the time, the source IP address, and the parameters. It is the audit trail for actions. If a security group was deleted at 2 a.m. and you need to know which user or role did it, CloudTrail is the only correct answer.

AWS Config — "what does my resource look like, and what did it look like before?" Config records the configuration state of your resources over time and evaluates them against rules you define. It can show a resource's full configuration history and flag noncompliant states — for example, alerting whenever an S3 bucket allows public access or an EBS volume is unencrypted. CloudTrail records the action; Config records the resulting state and judges it against policy.

AWS Audit Manager — "assemble my audit evidence." Audit Manager continuously and automatically collects evidence from your AWS usage and maps it to prebuilt or custom control frameworks (such as PCI DSS or GDPR-aligned frameworks), producing audit-ready assessment reports. It automates the tedious evidence-gathering phase of your audits — which is exactly what distinguishes it from Artifact, where you download AWS's completed audit reports.

One more reporting item in this task: IAM provides access reports such as the credential report and last-accessed information, which help you review who has access and what they actually use — useful evidence for governance reviews. (Managing that access is Task 2.3.)

Service comparison table and the classic exam confusions

Most Task 2.2 questions reduce to a one-line service match. Learn this table cold.

ServiceWhat it doesExam trigger phrase
AWS ArtifactSelf-service downloads of AWS's compliance reports (SOC, PCI, ISO) and agreements (e.g., BAA)"Download compliance reports"
Amazon GuardDutyIntelligent threat detection from CloudTrail, VPC Flow Logs, and DNS logs"Detect malicious activity / compromised accounts"
Amazon InspectorAutomated vulnerability scanning of workloads (EC2, ECR images, Lambda)"Scan for vulnerabilities / CVEs"
AWS Security HubAggregates findings from other tools; security posture dashboard and standards checks"Single view of security alerts"
AWS ShieldDDoS protection — Standard (free, automatic) and Advanced (paid, with response team)"Protect against DDoS"
Amazon CloudWatchMetrics, logs, dashboards, and alarms for resource monitoring"Monitor performance / set an alarm"
AWS CloudTrailRecords API calls and account activity for auditing"Who did what, when, from where"
AWS ConfigResource configuration history and compliance evaluation against rules"Track configuration changes / detect noncompliant settings"
AWS Audit ManagerContinuously collects your evidence and automates audit preparation against frameworks"Automate audit evidence collection"
AWS KMSCreate and manage encryption keys; powers encryption at rest across services"Encrypt stored data / manage keys"
AWS Certificate ManagerProvision and auto-renew TLS certificates; powers encryption in transit"HTTPS / TLS certificates"

Now the four confusions the exam loves:

  • CloudTrail vs CloudWatch vs Config: CloudTrail = who did it (API activity). CloudWatch = how is it performing (metrics and alarms). Config = what does or did it look like (configuration state and history).
  • GuardDuty vs Inspector: GuardDuty detects threats by analyzing activity logs; Inspector finds vulnerabilities by scanning the workloads themselves.
  • Security Hub vs GuardDuty: GuardDuty is a detector that produces findings; Security Hub is the aggregator that collects findings from many detectors into one dashboard.
  • Audit Manager vs Artifact: Audit Manager gathers evidence about your environment for your audits; Artifact hands you AWS's own audit reports about the underlying cloud.

Scenario: a payments startup prepares for its first audit

A payments startup running on AWS must demonstrate PCI DSS compliance to a banking partner. Walk through how the services in this task divide the work.

First, the bank asks for proof that AWS's infrastructure is PCI-compliant. The startup's engineer signs in to the console, opens AWS Artifact, and downloads the AWS PCI DSS attestation — no ticket, no waiting. Next, the auditors need evidence about the startup's own controls, so the team enables AWS Audit Manager with its PCI DSS framework; it begins continuously collecting evidence from their account automatically.

For technical controls: cardholder data in Amazon S3 and Amazon RDS is encrypted at rest with AWS KMS keys, and the public API sits behind a load balancer serving HTTPS with a certificate from AWS Certificate Manager — encryption in transit. AWS Config rules flag any bucket that becomes public or volume left unencrypted, and AWS CloudTrail delivers a complete API history to an S3 bucket so every administrative action is attributable.

For ongoing defense, Amazon GuardDuty watches CloudTrail, VPC Flow Logs, and DNS logs for threats; Amazon Inspector scans the EC2 fleet and container images for unpatched CVEs; AWS Security Hub pulls all of those findings into one dashboard the team reviews each morning; and AWS Shield Standard is already absorbing common DDoS attacks at no cost. Every exam question in this task is a fragment of a story like this one — identify which sentence of the story the question is asking about, and the service names itself.

Tip. CLF-C02 tests this task almost entirely through service matching: given a one-line need, pick the service — threat detection from log analysis maps to GuardDuty, vulnerability scanning of EC2 or container images to Inspector, aggregated security findings to Security Hub, DDoS protection to Shield, downloading AWS compliance reports to Artifact, recording API calls to CloudTrail, resource configuration history and rules to Config, performance monitoring and alarms to CloudWatch, and automated audit evidence collection to Audit Manager. Expect classification items on encryption — stored data means at rest (KMS), moving data means in transit (TLS/ACM). A few questions probe concepts rather than services: why compliance obligations differ by Region or industry, and where security logs such as CloudTrail events and VPC Flow Logs are delivered (S3 and CloudWatch Logs).

Key takeaways
  • AWS Artifact = self-service download of AWS's compliance reports (SOC, PCI, ISO) and agreements — free, no configuration.
  • Compliance requirements vary by geography (data residency, GDPR-style laws), industry (HIPAA, PCI DSS), and even by AWS service (services-in-scope lists).
  • Encryption at rest protects stored data (KMS-integrated); encryption in transit protects moving data (TLS certificates via ACM).
  • Security logs — CloudTrail events, VPC Flow Logs, S3 access logs — are typically delivered to Amazon S3 and/or CloudWatch Logs.
  • GuardDuty detects threats by analyzing logs; Inspector scans workloads for vulnerabilities; Security Hub aggregates findings; Shield stops DDoS (Standard free, Advanced paid).
  • CloudTrail answers "who did what, when, from where"; CloudWatch answers "how is it performing"; Config answers "what does/did the resource configuration look like."
  • AWS Audit Manager automates collecting YOUR audit evidence against frameworks; Artifact provides AWS'S completed audit reports — never confuse the two.

Frequently asked questions

Where do I find AWS compliance reports like SOC 2 and PCI DSS?

Use AWS Artifact, a free self-service portal in the AWS Management Console. Artifact Reports provides on-demand downloads of third-party audit reports covering AWS infrastructure, including SOC 1/2/3 reports, PCI DSS attestations, and ISO certifications. Artifact Agreements lets you review and accept legal agreements with AWS, such as the Business Associate Addendum for HIPAA workloads. Remember that Artifact documents AWS's compliance, not your own — proving your workloads are compliant is your responsibility, aided by services like AWS Audit Manager and AWS Config.

What is the difference between GuardDuty and Inspector?

Amazon GuardDuty is a threat detection service: it analyzes CloudTrail events, VPC Flow Logs, and DNS query logs with machine learning and threat intelligence to spot active malicious behavior, such as compromised credentials or an instance contacting a known bad IP. Amazon Inspector is a vulnerability management service: it scans your workloads — EC2 instances, container images in ECR, and Lambda functions — for software vulnerabilities (CVEs) and unintended network exposure. In short, GuardDuty finds attacks happening now; Inspector finds weaknesses an attacker could exploit later.

What is the difference between CloudTrail and CloudWatch?

AWS CloudTrail is an auditing service that records API calls and account activity — which identity did what, when, and from which IP address. Amazon CloudWatch is a monitoring service that collects metrics, logs, and alarms about how resources are performing — CPU utilization, latency, error rates. Use CloudTrail to investigate who deleted a resource; use CloudWatch to get alerted when an instance's CPU spikes. Add AWS Config for the third angle: it records what a resource's configuration looks like over time and evaluates it against compliance rules.

Is AWS Shield free?

Partly. AWS Shield Standard is free and automatically enabled for every AWS customer, protecting against the most common network- and transport-layer DDoS attacks with no setup. AWS Shield Advanced is a paid subscription that adds enhanced protection against larger and more sophisticated attacks, near-real-time attack visibility, cost protection for usage spikes caused by attacks, and access to the AWS Shield Response Team. For the CLF-C02 exam, remember the pairing: Standard = free and automatic, Advanced = paid with extra protections and support.

What is encryption at rest vs encryption in transit in AWS?

Encryption at rest protects data while it is stored — objects in S3, EBS volumes, RDS databases — so the data is unreadable without the keys even if the storage is accessed directly; AWS services implement it through integration with AWS Key Management Service (KMS). Encryption in transit protects data while it moves across networks — between users and your application or between services — using TLS/HTTPS, with certificates provisioned and renewed by AWS Certificate Manager. Secure architectures use both together, and CLF-C02 questions typically ask you to classify a scenario as one or the other.

What does AWS Audit Manager do?

AWS Audit Manager continuously and automatically collects evidence from your AWS accounts and maps it to controls in prebuilt or custom frameworks, such as PCI DSS or GDPR-aligned frameworks, producing audit-ready assessment reports. It automates the manual evidence-gathering work of preparing for your organization's audits. It is frequently confused with AWS Artifact on the exam: Audit Manager collects evidence about your environment for your audits, while Artifact is where you download AWS's own completed compliance reports about the underlying infrastructure.

Test yourself on this topic
Practice questions with full explanations.
Practice now

Sign up free to mark lessons complete, bookmark topics and track your exam readiness.