Compliance Frameworks
Framework-by-framework guidance — what auditors expect, what AWS provides, and what your team configures.
Most regulated SaaS, healthcare, and fintech teams arrive with overlapping framework scope — HIPAA plus SOC 2, or PCI DSS plus ISO 27001 — and EU operators now stack DORA and the EU AI Act on top. The guides below cover the specific controls each framework expects, where AWS-native services already satisfy the control, and where your engineering team has to configure or attest. Written from inside paid audit engagements, not from auditor handbooks.
Part of the AWS Security & Compliance hub.
Guides
An audit-prep checklist for Compliance Leads, Security Officers, and CISOs — BAA execution, documented Security Risk Assessments, workforce training, audit cadence, and the evidence packages OCR investigators expect when they show up.
A solutions architect's build guide for HIPAA on AWS. KMS key strategy, VPC isolation, RDS/S3/Lambda configuration patterns, IaC controls, and continuous validation — code-level decisions, not policy templates.
SOC 2 Type II certification proves your controls are effective over 6-12 months. This guide covers the compliance roadmap, AWS security controls, documentation requirements, and audit preparation for 2026 certification.
A practical architecture guide for PCI DSS compliance on AWS — CDE scoping, the 12 requirements mapped to AWS services, network design, encryption, logging, and audit readiness for payment-processing applications.
A practical guide to ISO 27001:2022 certification on AWS — building an ISMS that survives Stage 1 and Stage 2 audits, mapping the 93 Annex A controls to AWS services, and producing the evidence packages assessors actually request.
How to operationalize NIST CSF 2.0 on AWS — the new Govern function, the six core functions mapped to AWS services, maturity tier progression, and the relationship to NIST SP 800-53, SP 800-171, and CMMC.
GDPR compliance on AWS for SaaS companies handling EU resident data. Region selection, the AWS DPA, data subject rights automation, RoPA documentation, breach notification, and the technical controls regulators expect.
NIS2 compliance on AWS for EU operators of essential and important services. Scope assessment, the 24-hour and 72-hour incident reporting clock, supply-chain risk controls, and the AWS service mapping for the 10 minimum measures.
DORA (Regulation (EU) 2022/2554) on AWS — scope, the ICT risk-management framework, the third-party register, threat-led penetration testing under TIBER-EU, the major-incident reporting timeline, and the AWS-native control mapping for financial entities and their ICT service providers.
EU AI Act compliance on AWS — risk classification, prohibited practices, GPAI obligations, the high-risk Annex III framework (enforceable 2 August 2026), and the AWS-native control mapping using Bedrock Guardrails, SageMaker Model Cards, and Audit Manager governance.
Services
Engagements where we apply the patterns above to your specific environment, regulatory scope, and threat model.
Cloud compliance services — HIPAA, SOC 2, PCI DSS, ISO 27001, GDPR. Expert consulting from FactualMinds.
Free AWS Well-Architected Review from FactualMinds. Identify risks, compliance gaps, and optimization opportunities.
Related subtopics
Sibling subtopics that buyers usually evaluate alongside this one.
Org-wide guardrails, account isolation strategy, and continuous compliance monitoring as code.
Least-privilege patterns, workforce SSO with identity propagation, customer auth, and fine-grained Cedar-policy authorization.
AI-specific risk: prompt injection, PII leakage, hallucinations, and compliant model deployment for regulated industries.
FAQ
Our consulting engagements apply this guidance to your specific environment, regulatory scope, and threat model.
