Cloud Compliance Services — HIPAA, SOC 2, PCI DSS on AWS

## What are Cloud Compliance Services?

Cloud compliance services are consulting and managed-service engagements that align your AWS environment with regulatory frameworks — HIPAA, SOC 2 Type II, PCI DSS, ISO 27001, GDPR, NIST CSF 2.0, NIS2 — through gap assessment, control remediation, evidence collection, and audit support. Work spans IAM, encryption, logging, network segmentation, vulnerability management, and incident response, ending in an audit-ready evidence package mapped one-to-one to each framework's controls.

## Compliance on AWS Is Not Automatic

AWS provides HIPAA-eligible services, maintains PCI DSS Level 1 certification, and publishes SOC 2 reports. This is often misread as "AWS is compliant, so we are compliant."

The AWS shared responsibility model divides security and compliance responsibility between AWS and you. AWS secures the underlying infrastructure — physical data centers, hypervisors, network hardware, and the managed service layer. You are responsible for everything you configure: encryption settings, access policies, logging configurations, network security groups, and application-level controls.

Every compliance audit of an AWS workload is, in effect, an audit of how you have configured AWS services — not of AWS itself. Our cloud compliance services close the gap between a default AWS environment and an audit-ready one.

## Compliance Frameworks

Each framework has its own assessor type, evidence expectations, and AWS-control mapping. The pages below go control-by-control for the four frameworks buyers ask about most.

| Framework     | Version                                  | Assessor                          | Typical timeline                      | Dedicated page                                             |
| ------------- | ---------------------------------------- | --------------------------------- | ------------------------------------- | ---------------------------------------------------------- |
| HIPAA         | Security & Privacy Rules + 2024 NPRM | HHS OCR (no formal certification) | 8 weeks gap-to-evidence               | [HIPAA on AWS →](/security-compliance/hipaa/)              |
| SOC 2 Type II | 2017 TSC (revised 2022)                  | Licensed CPA firm                 | 9–14 months including observation     | [SOC 2 Type II on AWS →](/security-compliance/soc-2/)      |
| PCI DSS       | 4.0.1 (enforceable 31 Mar 2025)          | QSA (Level 1) or SAQ-D (Level 2)  | 12–16 weeks                           | [PCI DSS 4.0.1 on AWS →](/security-compliance/pci-dss/)    |
| ISO 27001     | 2022 with Amendment 1:2024               | IAF-accredited certification body | 6–9 months including operating period | [ISO 27001:2022 on AWS →](/security-compliance/iso-27001/) |

For multi-framework scope, see the [AWS Security & Compliance hub](/security-compliance/) — it maps overlapping controls so a single integrated audit prep replaces three sequential ones.

## HIPAA Compliance on AWS

The Health Insurance Portability and Accountability Act (HIPAA) applies to any organization that creates, receives, maintains, or transmits Protected Health Information (PHI). On AWS, HIPAA compliance requires:

**Business Associate Agreement (BAA):** You must sign an AWS BAA before using HIPAA-eligible services for PHI. The BAA defines which AWS services are covered. Using non-eligible services for PHI processing violates HIPAA, even if those services are otherwise secure.

**HIPAA-eligible services:** AWS maintains a list of services covered under the BAA. This includes core services like EC2, S3, RDS, Lambda, and API Gateway — but not all AWS services. Architecture must be limited to eligible services for any PHI processing.

**Technical safeguards:**

- Encryption at rest using AWS KMS for all PHI data stores (S3 SSE-KMS, RDS encryption, EBS encryption)
- Encryption in transit with TLS 1.2+ enforced, no unencrypted protocols
- Unique user identification with MFA enforcement — no shared accounts
- Automatic logoff for workstations and consoles
- Audit controls: CloudTrail logging for all API activity, VPC Flow Logs, S3 access logging

**Administrative safeguards:** HIPAA requires not just technical controls but documented policies and procedures — workforce training records, risk analysis documentation, incident response procedures, and business associate agreements with all downstream vendors.

## SOC 2 Type II on AWS

SOC 2 Type II certification demonstrates to enterprise customers and partners that your organization maintains effective security controls over a defined period. The five Trust Service Criteria:

**Security (required)** — Protecting against unauthorized access. AWS controls: IAM least privilege, MFA enforcement, VPC isolation, Security Groups, GuardDuty, CloudTrail.

**Availability** — System uptime and performance commitments. AWS controls: Multi-AZ deployments, Auto Scaling, Route 53 health checks, CloudWatch alarms.

**Confidentiality** — Protecting confidential information. AWS controls: KMS encryption, S3 bucket policies, data classification tagging, access logging.

**Processing Integrity** — Complete and accurate processing. AWS controls: Step Functions error handling, SQS dead-letter queues, Lambda retry logic, data validation.

**Privacy** — Collection, use, and retention of personal information. AWS controls: Macie for PII discovery, S3 lifecycle policies, data deletion automation.

Most SOC 2 engagements focus on Security and one or two additional criteria. We implement the controls, configure AWS Config rules that monitor for compliance drift, and maintain the evidence records your auditor needs.

## PCI DSS on AWS

Payment Card Industry Data Security Standard compliance is required for any organization that processes, stores, or transmits cardholder data. PCI DSS v4.0 consists of 12 requirements spanning network security, access control, logging, vulnerability management, and information security policies.

**Cardholder Data Environment (CDE) scoping** is the most important architectural decision. The smaller your CDE, the smaller your audit scope. AWS architecture options for scope reduction:

- Use Stripe, Braintree, or Adyen to handle card capture and tokenization — keeping raw card data entirely outside your environment
- Isolate remaining payment processing in a dedicated AWS account or VPC
- Implement network segmentation between CDE and non-CDE components

**AWS services for PCI DSS:**

| Requirement                          | AWS Services                                                        |
| ------------------------------------ | ------------------------------------------------------------------- |
| Network segmentation (Req 1)         | VPC, Security Groups, Network ACLs, AWS Firewall Manager            |
| No vendor-supplied defaults (Req 2)  | AWS Config rules, Systems Manager                                   |
| Protect cardholder data (Req 3–4)    | KMS, ACM, S3 SSE, RDS encryption                                    |
| Vulnerability management (Req 5–6)   | Amazon Inspector, ECR image scanning, Systems Manager Patch Manager |
| Access control (Req 7–9)             | IAM, AWS SSO, CloudTrail, Secrets Manager                           |
| Monitor and test (Req 10–11)         | CloudTrail, VPC Flow Logs, Security Hub PCI standard, GuardDuty     |
| Information security policy (Req 12) | Documented policies, AWS Artifact for AWS AoC                       |

AWS Security Hub includes a built-in PCI DSS compliance standard that maps Config rules to PCI requirements, providing continuous automated compliance assessment.

For fintech-specific AWS architecture, see our guide on [PCI DSS Compliance on AWS for Fintech](/blog/building-fintech-applications-on-aws-architecture-patterns/).

## Our Compliance Delivery Process

### Step 1: Gap Assessment (1–2 weeks)

Structured review of your current AWS environment against your target framework:

- Security control inventory
- AWS Config rule evaluation
- Security Hub findings review
- IAM policy analysis
- Network architecture review
- Encryption coverage audit
- Logging completeness check

Output: Prioritized gap report with control mapping and estimated remediation effort for each gap.

### Step 2: Remediation (4–12 weeks)

Hands-on implementation of required controls, in priority order:

- IAM policy hardening and MFA enforcement
- Encryption at rest and in transit
- Logging and monitoring configuration
- Network segmentation and security group hardening
- Automated compliance monitoring with AWS Config and Security Hub
- Secrets Manager migration (replacing hardcoded credentials)
- Vulnerability scanning setup

### Step 3: Audit Readiness (1–2 weeks)

Preparation for formal audit engagement:

- Evidence package organization (screenshots, Config snapshots, policy documents)
- Control narrative documentation
- Auditor readiness review
- Remediation of final gaps identified in readiness review

### Step 4: Ongoing Monitoring

Compliance is not a one-time event. After certification, we maintain:

- AWS Security Hub compliance standard monitoring
- Config rule enforcement for new resources
- Quarterly access reviews
- Annual risk assessment updates
- Compliance drift alerts

## Industry Focus

**Healthcare** — HIPAA BAA establishment, PHI data flow mapping, HITRUST alignment for organizations pursuing HITRUST CSF certification. See our [AWS Healthcare industry page](/industries/aws-healthcare/).

**Fintech** — PCI DSS CDE scoping and remediation, SOC 2 for payment platforms, FFIEC guidance for financial services. See our [AWS Fintech industry page](/industries/aws-fintech-financial-services/).

**SaaS** — SOC 2 Type II as a sales requirement for enterprise customers. Most B2B SaaS companies pursue SOC 2 by their Series B or when closing enterprise deals.

**EdTech** — FERPA compliance for student data, COPPA for applications serving users under 13, combined with SOC 2 for enterprise school district customers.

For the full security stack that underpins compliance, see our [AWS Security Consulting](/services/aws-cloud-security/) service. For the architecture review that often precedes a compliance engagement, see [AWS Well-Architected Review](/services/aws-architecture-review/).

For comprehensive reading on HIPAA requirements, see our [HIPAA on AWS Complete Compliance Checklist](/blog/hipaa-on-aws-complete-compliance-checklist/).

[Book a Free Compliance Gap Assessment →](/contact-us/)