Skip to main content
Source

This page is generated from skills/ecs-security/references/compliance-accelerators.md. Edit the source, not this page.

Layer 7b — Compliance Accelerators

Tools that turn a hardened ECS estate into continuous, auditor-ready evidence — so an audit is a report-pull, not a fire drill.

ServiceFunction for ECSReference
AWS ConfigResource-configuration compliance; rules that evaluate ECS task definitions/services — e.g. ecs-containers-nonprivileged (no privileged containers), read-only-rootfs, no plaintext secrets, awsvpc mode, no host networking. Flags drift continuously.AWS Config
AWS Security HubCSPM; aggregates GuardDuty + Inspector + Config findings; runs the ECS controls pack (ECS.4, ECS.5, plaintext-secret and host-mode checks) and standards (AWS FSBP, CIS, NIST 800-53, PCI-DSS).Security Hub ECS controls
AWS Audit ManagerContinuous evidence collection mapped to framework controls (HIPAA, PCI-DSS, FedRAMP, NIST 800-53) — makes audit prep continuous rather than point-in-time.AWS Audit Manager
AWS ArtifactSelf-service download of SOC 2, ISO 27001, PCI-DSS AOC, FedRAMP packages, and the AWS Data Processing Addendum (DPA) — the documents you hand an auditor; also where you accept agreements like the HIPAA BAA (there is no "HIPAA AOC" — no HIPAA certification exists for a CSP and the HIPAA artifact is the signed BAA, per AWS HIPAA compliance; auditors commonly also ask for supporting reports such as SOC 2, downloadable from Artifact).AWS Artifact
AWS Services in Scope / Compliance ProgramsThe authoritative, live source for which programs ECS and Fargate are in scope for.Services in Scope · ECS compliance validation

How they fit together

  1. Baseline — turn on Security Hub standards + the ECS controls; enable Config rules for ECS; enable ECR Enhanced Scanning + GuardDuty (Layers 4/6).
  2. Continuous evidence — Audit Manager collects evidence against the chosen framework; Config flags drift; Security Hub scores posture.
  3. Audit time — validate Security Hub against the compliance pack, remediate findings, download the attestation (AOC / package) from Artifact for the auditor.

Disclaimer (always include in customer-facing output): "Compliance status changes over time — verify on the live AWS Services in Scope page before quoting program coverage." Audit Manager / Security Hub frameworks accelerate evidence; they do not themselves constitute certification.

Shared responsibility (Layer 7b)

AWS managesCustomer manages
Service availability; pre-built ECS Config rules, Security Hub ECS controls, and Audit Manager framework definitions; attestation packages in ArtifactSelecting the right framework; remediating findings; mapping evidence to the auditor's requirements; downloading + presenting attestations; the workload-level controls AWS attestations don't cover

Sources