Skip to main content

Security & Compliance

AWS Security & Compliance Guides

Curated guidance across compliance frameworks (HIPAA, SOC 2, PCI DSS), AWS-native security services (GuardDuty, Security Hub, Inspector, Security Lake), IAM, data protection, multi-account governance, and AI security. Written for CISOs, compliance leads, solutions architects, and platform engineers.

Last updated: April 2026 — currency review: Audit Manager closure, Security Hub Essentials pricing, Bedrock Automated Reasoning, KMS post-quantum, DORA, EU AI Act  ·  Reviewed by: FactualMinds AWS-certified architects (Solutions Architect – Professional)  ·  AWS Partner: Select Tier Consulting Partner

Why we publish this hub

Most AWS security and compliance content online is written by vendors selling a product or by analyst firms summarizing a framework. Both leave gaps. Vendors tell you what their product does — not whether AWS-native services already cover the same control. Analyst summaries tell you what auditors want — not how to actually implement the control on AWS without breaking your developers' workflow.

We publish these guides from inside the engagement. Every post here reflects work we have shipped — HIPAA telehealth platforms, PCI DSS 4.0.1 fintech migrations, SOC 2 readiness for SaaS startups, ISO 27001:2022 ISMS builds, and Bedrock Guardrails deployments for regulated AI workloads. Where AWS-native is enough, we say so. Where you need a third-party tool, we say that too — and we tell you why.

Curated for CISOs, compliance leads, security architects, and platform engineers who need an honest, applied reference rather than another vendor blog.

Browse by Subtopic

7 focused subtopic hubs, 39 production-grade guides

Each subtopic hub has its own URL, dedicated guides, and related services — built so you can link to the part of the cluster that matches your audit, threat model, or platform decision.

Compliance Frameworks

Framework-by-framework guidance — what auditors expect, what AWS provides, and what your team configures. (10 guides)

Browse guides →
IAM & Access Control

Least-privilege patterns, workforce SSO with identity propagation, customer auth, and fine-grained Cedar-policy authorization. (4 guides)

Browse guides →
Threat Detection & Response

Continuous monitoring, agentless vulnerability scanning, OCSF data lakes, forensic investigation, and automated remediation. (7 guides)

Browse guides →
Data Security

Bucket-level controls, secret rotation, KMS post-quantum, Macie DSPM, and clean-room collaboration without raw-data sharing. (5 guides)

Browse guides →
Network & Application Security

Layer-7 defenses, ZTNA for workforce apps, stateful L3-L7 firewalling, and production-grade VPC patterns. (5 guides)

Browse guides →
Governance & Multi-Account

Org-wide guardrails, account isolation strategy, and continuous compliance monitoring as code. (6 guides)

Browse guides →
AI Security

AI-specific risk: prompt injection, PII leakage, hallucinations, and compliant model deployment for regulated industries. (4 guides)

Browse guides →

Featured Guides

One marquee guide per subtopic

The guides our clients most often cite when asked "send me one link to ground the conversation."

HIPAA on AWS: The Compliance Lead's Audit-Ready Checklist

An audit-prep checklist for Compliance Leads, Security Officers, and CISOs — BAA execution, documented Security Risk Assessments, workforce training, audit cadence, and the evidence packages OCR investigators expect when they show up.

Read guide →
AWS IAM Best Practices: Least Privilege Access Control

A practical guide to AWS IAM — least privilege policies, IAM roles vs users, permission boundaries, SCPs, identity federation, and the access control patterns that secure production workloads without slowing teams down.

Read guide →
AWS GuardDuty Threat Detection: A Production Setup Guide

How to deploy, tune, and operationalize Amazon GuardDuty for production threat detection — covering finding types, multi-account setup, automated response, and reducing false positives.

Read guide →
AWS S3 Security Best Practices: Preventing Data Exposure

A comprehensive guide to S3 security — bucket policies, encryption, access logging, Block Public Access, and the practices that prevent the data breaches that make headlines.

Read guide →
AWS WAF: Web Application Firewall Configuration for Production

A practical guide to AWS WAF for production web applications — managed rule groups, custom rules, rate limiting, bot control, and the layered defense strategy that protects without blocking legitimate traffic.

Read guide →
How to Set Up Amazon Bedrock Guardrails for Production

Amazon Bedrock Guardrails protect foundation models from harmful outputs — filtering on prompt injection, jailbreaks, toxicity, and PII. This guide covers setup, testing, cost optimization, and production safety patterns for GenAI applications.

Read guide →

Free Tools & Tag Archives

Self-serve assessments and broader content

Run a quick gap check, or browse the full security/compliance archive beyond this curated hub.

HIPAA Compliance Checker

15 questions across PHI controls, access management, audit logging, and encryption. Get a gap report before your auditor does.

Check compliance →
Well-Architected Assessment

20 questions across the 6 AWS pillars including Security. Identify hidden risks across IAM, data protection, and incident response.

Start assessment →
More Security Articles

Beyond the curated guides above — browse all posts tagged with security or compliance for long-tail topics.

View tag archive →

Security Services

Engagements that put these guides into practice

Our writing reflects what we ship. When you're ready to apply this in your environment, we run the engagement end-to-end.

AWS Cloud Security

Vulnerability assessment, network review, IAM hardening, and continuous monitoring across your AWS environment.

Explore service
Cloud Compliance Services

HIPAA, SOC 2, PCI DSS, ISO 27001, and GDPR readiness — gap assessment, control implementation, and audit evidence.

Explore service
Managed SOC & MDR

24/7 managed detection and response on AWS-native tooling — GuardDuty, Security Hub, Security Lake, and automated containment runbooks.

Explore service
AWS Penetration Testing

AWS-aware pen testing — IAM privilege escalation, S3 misconfiguration, IMDS exploitation, web app, API, and container testing.

Explore service
Cyber-Led AI

AI-specific security readiness — IAM hardening for ML, SageMaker security, prompt-injection defense, and model governance.

Explore service

Case Studies

Production-grade outcomes

Real engagements with measurable security and compliance results.

PCI DSS Fintech Migration in 12 Weeks

Payment processor moved to AWS with CDE scope reduced 70%, audit prep cut from 8 weeks to 4 days, and 12K+ malicious requests/day blocked via WAF.

Read case study
HIPAA Telehealth Platform — Zero-Trust in 8 Weeks

Regional healthcare network deployed a HIPAA-compliant telehealth platform with 94% automated controls, 100% PHI encryption, and a 96/100 Security Hub score.

Read case study

FAQ

Frequently asked questions about AWS security and compliance

The questions buyers actually ask before signing — multi-framework scope, evidence ownership, GRC tool integration, and ongoing cost.

We need HIPAA, SOC 2, and PCI DSS — can you handle multi-framework scope?
Yes. Most regulated SaaS clients land with overlapping scope, so we map the controls once against AWS-native services (Audit Manager, Security Hub, Config) and reuse the same evidence pipeline for each framework. Where the frameworks diverge — for example, PCI DSS 4.0.1 script integrity (Requirement 6.4.3) or HIPAA-specific BAA boundaries — we add the framework-specific controls without duplicating the foundational work. Net effect: a single integrated audit prep instead of three sequential ones.
What is your AWS-native evidence pipeline now that Audit Manager is closed to new customers?
AWS Audit Manager closed to new customers on 30 April 2026. Existing customers can keep using it, but we no longer recommend new engagements adopt it. Our current pipeline pairs AWS Config conformance packs (regulator-aligned control sets — CIS AWS Foundations, NIST 800-53 r5, HIPAA, PCI DSS 4.0, FedRAMP Moderate, K-ISMS, RBI, MAS — deployable Organization-wide via CloudFormation StackSets) with Security Hub Essentials on its 2025-revised resource-based pricing. Security Hub runs the continuous standards checks; Config conformance packs hold the rule-by-rule compliance state; CloudTrail Lake or Security Lake (OCSF 1.1) holds the auditable event store. Your team — or our consultants — still owns the policy library, risk assessments, and vendor reviews; the AWS-native stack collects the technical evidence.
When do we need a 3PAO vs. CPA firm vs. notified body?
Different frameworks require different assessor types. SOC 2 audits must be conducted by a licensed CPA firm. PCI DSS Level 1 (≥6M transactions/year) requires a Qualified Security Assessor (QSA), and FedRAMP requires a Third Party Assessment Organization (3PAO) listed on the FedRAMP marketplace. ISO 27001 certification requires an accredited certification body (notified body in EU terminology). HIPAA has no formal certification — it is enforced by HHS OCR, so the bar is "demonstrate due diligence" rather than "pass a specific assessor." Our gap-assessment phase always confirms the right assessor type before quoting a timeline.
Do you provide the BAA, or just the AWS-side controls?
AWS provides the Business Associate Addendum directly through AWS Artifact — that covers AWS as your subprocessor. We help you (a) confirm you only use HIPAA-eligible services on the workload side, (b) implement the technical safeguards (encryption, access logging, transmission security) under HIPAA §164.312, and (c) draft your downstream BAAs with anyone you share PHI with. We do not act as your covered-entity-side legal counsel — your healthcare attorney owns the BAA terms and Notice of Privacy Practices.
How do AI workloads (Bedrock, SageMaker) change the compliance scope?
AI changes the audit conversation in three concrete ways: (1) BAA boundaries shift — your Business Associate Addendum must reflect that a foundation model now processes PHI; AWS Bedrock and Bedrock AgentCore are HIPAA-eligible (AgentCore added February 2026), but every model and feature you use needs to be on the current AWS HIPAA Eligible Services list. (2) SOC 2 CC6.1 (logical access) and CC7.1 (system monitoring) extend to prompt and inference logs; HIPAA §164.312 transmission security and §164.308 access management both apply to inference paths. (3) Risk management documentation expands — NIST AI RMF for US, EU AI Act high-risk Annex III (enforceable 2 August 2026) for EU. Bedrock Guardrails (PII redaction, text and image content filters, denied topics, word filters, contextual grounding, and Automated Reasoning checks for math-validated factuality) are HIPAA-eligible and become evidence for those control extensions. We treat AI compliance as additive on top of HIPAA/SOC 2/PCI DSS — not a replacement.
What evidence packages do you produce, and who owns them post-engagement?
You own everything we produce: control narratives mapped to the framework, AWS architecture diagrams (Security Hub findings, Config rules, IAM Access Analyzer reports), the policy library (information security, access control, incident response, vendor management), risk-assessment workbook, and the Audit Manager evidence pipeline. Everything lives in your AWS account and your document repository. The only thing we keep is a redacted reference architecture for our internal patterns library.
Can you integrate with our existing GRC tool (Vanta, Drata, Secureframe)?
Yes. We work with Vanta, Drata, Secureframe, and Tugboat Logic regularly. The pattern is consistent: the GRC tool is your control inventory and evidence dashboard for auditors, AWS Config + Security Hub is the source of truth for technical findings, and we wire the read-only AWS integration so the GRC tool reflects live state instead of point-in-time snapshots. We do not push you off your existing tooling — most of our clients arrive with one already in place.
What does ongoing compliance monitoring cost after the initial engagement?
Two cost components: AWS service costs and engagement costs. AWS-side: Security Hub repriced to resource-based "Security Hub Essentials" in 2025 — unlimited checks/findings, billed per protected resource (EC2 instance, container image, Lambda function, IAM principal); typical mid-market spend $300–$1,500/month. AWS Config moved to tiered per-region pricing — $0.001 / $0.0008 / $0.0005 per evaluation across the 100K / 100K–500K / >500K bands. Amazon GuardDuty is $4.00 per million CloudTrail management events plus add-on protection plans (EKS, S3, RDS, Lambda, EC2 Runtime) billed separately. Add Inspector v2 (per-resource per-month for EC2, ECR, Lambda + code scanning) and CloudTrail Lake / Security Lake storage as needed. Mid-market regulated workloads land at $800–$3,500/month for the full security stack. Engagement-side: our managed compliance retainer covers quarterly control reviews, annual policy refresh, audit liaison, and on-call support during your audit window — $4K–$12K/month depending on framework count and account scale. Assessor fees (CPA, QSA, 3PAO, certification body) sit on top and we do not control those.

Need Expert Help?

Our articles share what we know. Our consulting engagements apply that knowledge to your specific environment, regulatory scope, and threat model.

Talk to AWS Security Experts
View All Resources