Chapter 69: AWS Compliance
AWS Compliance
This is not just a list of certifications you paste on your website. It is a complete operating model — a combination of AWS responsibilities, your responsibilities, tools you use, documents you collect, and processes you follow — so that your product, your data, and your business stay legal, auditable, and trusted by customers, regulators, banks, and enterprise buyers.
In India 2026, especially in fintech, health-tech, ed-tech, SaaS, and any company handling personal data, compliance is no longer optional — it is a business gatekeeper.
Let me explain it like we’re sitting together with a whiteboard and a second cup of Irani chai — slow, clear, step-by-step, with real Hyderabad examples, current 2026 facts, and practical guidance you can use tomorrow.
1. The Two Big Buckets — What “AWS Compliance” Actually Means
When people say “AWS Compliance”, they usually mean one or both of these:
A. AWS’s own compliance posture (What AWS itself has achieved — certifications, attestations, reports you can read)
B. Your company’s compliance when using AWS (How you use AWS services in a compliant way — this is where 90 % of the work lives)
Both are important, but B is what keeps you awake at night.
2. Bucket A — AWS’s Compliance Posture (What AWS Gives You)
AWS invests massively in compliance so you don’t have to reinvent the wheel.
Most relevant certifications & reports for Indian companies in 2026:
| Certification / Report | What it proves | Who usually cares in India? | How to access it (2026) |
|---|---|---|---|
| SOC 1, SOC 2 Type II, SOC 3 | Financial controls, security, availability, privacy | Banks, fintech, SaaS selling to enterprises | AWS Artifact (free download) |
| ISO 27001, 27017, 27018 | Information security, cloud controls, PII protection | Almost everyone — especially DPDP Act alignment | AWS Artifact |
| PCI DSS Level 1 | Card payment security | Fintech, payment gateways, e-commerce | AWS Artifact |
| HITRUST CSF | Healthcare security & privacy | Health-tech, insurance | AWS Artifact |
| IRAP (Australian) / MTCS (Singapore) | Regional government-level security | Some cross-border customers | AWS Artifact |
| MeitY empanelment | Indian government empanelment | Government & PSU contracts | AWS public compliance page + MeitY portal |
| RBI guidelines alignment | Financial sector cloud usage guidelines | Banks, NBFCs, payment aggregators | AWS RBI compliance whitepaper + Artifact reports |
Key takeaway (2026 reality):
AWS already holds most major global and regional certifications that Indian regulators and enterprises care about. Your job is not to get AWS certified — your job is to prove you used AWS in a compliant way.
3. Bucket B — Your Compliance Responsibility (Where the Real Work Lives)
This is the Shared Responsibility Model applied to compliance.
AWS gives you compliant building blocks. You have to assemble them correctly.
| Compliance Area | AWS Provides the Tools / Reports | You (the customer) Must Do | Typical Hyderabad company task (2026) |
|---|---|---|---|
| Data Residency | Regions in India (ap-south-1 Mumbai, ap-south-2 Hyderabad) | Keep regulated data in India Regions | Use ap-south-2 for all personal data |
| Encryption | KMS, ACM, SSE-KMS, EBS/RDS encryption | Enable encryption at rest & in transit everywhere | KMS customer-managed keys on S3/EBS/RDS |
| Access Control | IAM, IAM Identity Center, bucket policies, SCPs | Least privilege, no long-lived keys, MFA everywhere | SSO + roles, no 0.0.0.0/0 security groups |
| Logging & Auditability | CloudTrail, CloudWatch Logs, GuardDuty, Security Hub | Enable CloudTrail (multi-region), GuardDuty, log retention | CloudTrail + Security Hub dashboard |
| Data Protection / DPDP Act | Macie, KMS, S3 Object Lock, VPC endpoints | Classify data, encrypt PII, enable Macie, use Object Lock | Macie scans S3 for Aadhaar/PAN leaks |
| Incident Response & Breach Notification | GuardDuty, Security Hub, AWS Incident Response | Have IR plan, enable GuardDuty, test notification flow | 72-hour breach notification process |
| Compliance Evidence | AWS Artifact, AWS Compliance reports | Collect reports, run AWS Audit Manager assessments | SOC 2 Type II report for enterprise deal |
4. Real Hyderabad Example — Full Compliance Setup (Fintech 2026)
Your startup “PayTelugu” (UPI wallet & payment app):
Regulatory pressure:
- RBI guidelines for payment aggregators
- DPDP Act 2023 (personal data protection)
- Upcoming MeitY cloud empanelment requirement
What they built (very typical production pattern):
- Region choice All resources in ap-south-2 (Hyderabad) — data residency satisfied
- Encryption everywhere
- S3 SSE-KMS (customer-managed key)
- EBS & RDS encrypted
- ACM certificate on ALB → HTTPS enforced
- VPC endpoints for S3/DynamoDB → no public internet traffic
- Access control
- IAM Identity Center + Google Workspace SSO
- No IAM user access keys — only roles
- SCP in AWS Organizations → deny public S3 buckets, deny disabling CloudTrail
- Security Groups → RDS allows 5432 only from ECS task SG
- Logging & monitoring
- CloudTrail multi-region trail → logs to encrypted S3 bucket (lifecycle → Glacier after 90 days)
- GuardDuty + Security Hub → alerts on compromised keys, crypto-mining
- Macie → scans all S3 buckets for PII (Aadhaar, PAN, phone) → alerts on exposure
- Backup & immutability
- AWS Backup — centralized plan for RDS, EFS, EBS, DynamoDB
- S3 Object Lock on compliance bucket (7-year retention for transaction logs)
- Compliance evidence
- Download SOC 2 Type II, PCI DSS, ISO 27001 reports from AWS Artifact
- Run AWS Audit Manager assessment for RBI guidelines & DPDP Act controls
- Share reports with RBI auditors / enterprise clients
Monthly compliance-related cost:
- GuardDuty + Security Hub + Macie → ~₹4,000–12,000
- CloudTrail storage → ~₹500–2,000
- KMS + Secrets Manager → ~₹500–1,500
- Total: ₹5,000–18,000/month (cheap compared to RBI fine or breach cost)
5. Quick Hands-On – Feel Basic Compliance Setup
- Enable CloudTrail (multi-region) → logs to encrypted S3 bucket
- Enable GuardDuty → wait 24 h → see first findings
- Enable Macie → create sensitive data discovery job on S3 buckets
- Create AWS Config rule: “S3 bucket should have server-side encryption”
- Download SOC 2 report from AWS Artifact (free)
Summary Table — AWS Compliance Cheat Sheet (2026 – India Focus)
| Compliance Goal | Primary AWS Tools / Actions | Golden Rule / Best Practice |
|---|---|---|
| Data residency (RBI, DPDP) | Use ap-south-1 or ap-south-2 Regions | Keep regulated personal data in India Regions |
| Encryption at rest & transit | KMS, ACM, SSE-KMS, TLS enforcement | Enable by default on S3, EBS, RDS, Redshift, etc. |
| Least privilege & access control | IAM Identity Center (SSO), IAM roles, SCPs | No long-lived keys, no 0.0.0.0/0 security groups |
| Logging & audit trail | CloudTrail (multi-region), GuardDuty, Security Hub | Enable CloudTrail & GuardDuty day 1 — encrypt logs |
| PII & sensitive data discovery | Amazon Macie | Enable on all S3 buckets — auto-classify & alert |
| Backup & immutability | AWS Backup, S3 Object Lock | Object Lock for 7-year retention on compliance data |
| Compliance evidence & reporting | AWS Artifact, AWS Audit Manager | Download SOC/PCI/ISO reports + run Audit Manager assessments |
Teacher’s final note (real talk – Hyderabad 2026):
Compliance is 20 % AWS certifications and 80 % your configuration discipline.
The biggest compliance failures in India right now are not AWS failing — they are:
- Public S3 buckets with Aadhaar/PAN
- Overly permissive IAM roles leaked on GitHub
- No encryption on RDS/EBS
- No CloudTrail → no audit trail for RBI auditors
- No GuardDuty → blind to attacker activity
Do these five things religiously and you’ll be safer & more compliant than most:
- Use ap-south-2 (Hyderabad) for regulated data
- Encrypt everything (KMS, SSE, TLS)
- Least privilege everywhere (SSO + roles, tight security groups)
- Enable CloudTrail + GuardDuty + Security Hub
- Use S3 Object Lock for compliance retention
Got it? This is the “stay legal, stay trusted, stay in business” lesson.
Next?
- Step-by-step: Enable Macie + GuardDuty + Security Hub in a new account?
- Deep dive: How to use AWS Audit Manager for RBI/DPDP compliance?
- Or how to configure S3 Object Lock for 7-year immutability?
Tell me — next whiteboard ready! 🚀🔐
