Source
This page is generated from skills/eks-security/references/compliance-accelerators.md. Edit the source, not this page.
Layer 7 — Compliance Accelerators
Tools that turn the hardened cluster into continuous, auditor-ready evidence — so an audit is a report-pull, not a fire drill.
| Service | Function | Reference |
|---|---|---|
| AWS Audit Manager | Continuous evidence collection mapped to framework controls (HIPAA, PCI-DSS, FedRAMP, NIST 800-53). The engine that makes audit prep continuous rather than point-in-time. | AWS Audit Manager |
| AWS Config | Resource-configuration compliance; rules evaluating EKS cluster settings (logging enabled, endpoint privacy, encryption). | AWS Config |
| AWS Security Hub | CSPM; aggregates GuardDuty + Inspector + Config findings; evaluates compliance-pack standards (CIS AWS Foundations, AWS FSBP, NIST SP 800-53, PCI-DSS). | Security Hub |
| AWS Artifact | Self-service download of SOC 2, ISO 27001, PCI-DSS AOC, FedRAMP packages, HIPAA AOC, and the AWS Data Processing Addendum (DPA) — the documents you hand an auditor. | AWS Artifact |
| AWS Compliance Programs / Services in Scope | The authoritative, live source for which programs EKS is in scope for. | Compliance Programs · Services in Scope |
| kube-bench | OSS CIS Kubernetes Benchmark scanner; run it to baseline current CIS posture and re-validate after hardening. | kube-bench (Aqua) |
How they fit together
- Baseline — run
kube-benchfor current CIS posture; turn on Security Hub standards. - Continuous evidence — Audit Manager collects evidence against the chosen framework; Config flags drift.
- Audit time — validate Security Hub against the compliance pack, remediate findings, download the attestation (AOC / package) from Artifact for the auditor.
Disclaimer (always include in customer-facing output): "Compliance status changes over time — verify on the live AWS Services in Scope page before quoting program coverage." Audit Manager / Security Hub frameworks accelerate evidence; they do not themselves constitute certification.
Shared responsibility (Layer 7)
| AWS manages | Customer manages |
|---|---|
| Service availability; pre-built framework definitions + compliance packs; attestation packages in Artifact | Selecting the right framework; remediating findings; mapping evidence to the auditor's requirements; downloading + presenting attestations; the workload-level controls AWS attestations don't cover |