Compliance Frameworks, Organizations & Security Hub
Difficulty: hard
Overview
AWS provides services to manage compliance across multi-account environments.
AWS Security Hub:
- Centralized security findings dashboard across accounts/regions
- Ingests findings from: GuardDuty, Inspector, Macie, Config, IAM Access Analyzer, Firewall Manager
- Security Standards: CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, PCI-DSS, NIST 800-53
- Finding format: AWS Security Finding Format (ASFF) — normalized JSON
- Cross-region aggregation: designate an aggregation region to see all findings in one place
- Cross-account: Requires a Security Hub administrator account (via Organizations)
AWS Audit Manager:
- Automates evidence collection for compliance audits (SOC 2, PCI-DSS, ISO 27001, HIPAA)
- Maps AWS Config rules and Security Hub findings to audit controls
- Generates assessment reports with evidence ready for auditors
AWS Organizations & SCPs:
- Management account: administers the Organization; SCPs do NOT apply to it
- Preventive guardrails (SCPs): Block actions before they happen
- Detective guardrails (Config rules): Detect policy violations after the fact
AWS Control Tower:
- Automated multi-account setup with best practices (via Landing Zone)
- Mandatory guardrails: Always-on, preventive (SCPs) — cannot be disabled
- Strongly recommended: Default-enabled, can be disabled
- Elective: Optional, enabled per OU
- Guardrail types by implementation:
- Preventive: SCPs that block non-compliant actions
- Detective: Config rules that report violations (do NOT block)
Shared Responsibility Model:
| AWS Responsible | Customer Responsible |
|---|---|
| Physical infrastructure, hardware | IAM users, roles, policies |
| Hypervisor, host OS | Guest OS patching (EC2) |
| Network infrastructure | Security group/NACL configuration |
| Managed service patching (RDS, Lambda) | Application-level encryption |
| Global network security | Data classification and encryption |
AWS Artifact: On-demand access to AWS compliance reports (SOC, PCI-DSS, ISO certifications).
Practice Linked Questions
Q1. What is the primary function of AWS Security Hub?
Select one answer before revealing.
Q2. Under the AWS Shared Responsibility Model, which of the following is AWS's responsibility for an Amazon EC2 instance?
Select one answer before revealing.
Q3. A company uses AWS Control Tower with a detective guardrail enabled in a member account. The guardrail detects that an S3 bucket in the member account has public access enabled. What is the EXPECTED behavior?
Select one answer before revealing.
Q4. A company needs to demonstrate PCI-DSS compliance for their AWS workloads on an ongoing basis. Which combination of AWS services provides continuous compliance monitoring AND evidence collection for auditors?
Select one answer before revealing.
Q5. A company wants to prevent ALL member accounts in their AWS Organization from ever disabling CloudTrail, including by administrators. Which control achieves this preventively?
Select one answer before revealing.
Q6. AWS Security Hub consolidates findings from GuardDuty, Inspector, Macie, and Config. A security team wants all findings from 15 member accounts to appear in a SINGLE Security Hub console. What configuration is needed?
Select one answer before revealing.
Q7. A company wants no AWS account in their Organization to EVER disable GuardDuty, even by administrators. CloudTrail must also always be enabled in all accounts. Which approach provides PREVENTIVE enforcement for both?
Select one answer before revealing.