Skip to main content
Source

This page is generated from skills/eks-security/references/compliance-regimes.md. Edit the source, not this page.

Compliance Regimes — Scope, Nuance & Worked Scenarios

The cross-cutting view over the 7-layer stack. Compliance status changes over time — every claim here must be re-verified against the live AWS Services in Scope page before it goes into a customer-facing document. The table below is a map to verify against, not a substitute for the live page.

EKS compliance-scope table

ProgramStatusNotes
PCI DSS Level 1✅ Natively in scopeCustomer owns workload-level controls (segmentation, access, logging, vuln mgmt)
HIPAA✅ EligibleRequires a signed BAA with AWS before processing PHI
SOC 1 / 2 / 3✅ In scopeReports in AWS Artifact
ISO 27001 / 27017 / 27018 / 9001✅ In scopeReports in AWS Artifact
FedRAMP Moderate✅ In scopeCommercial regions
FedRAMP High✅ In scopeGovCloud only (us-gov-east-1, us-gov-west-1)
HITRUST CSF✅ In scopeHealthcare-focused
IRAP / C5 / K-ISMS / ENS High / OSPAR✅ In scopeRegional government programs (AU / DE / KR / ES / SG)
DISA IL4 / IL5✅ In scope — GovCloud onlyDoD Impact Levels 4 & 5 are GovCloud-only; commercial regions reach IL2 only. Don't imply IL5 works in commercial.
GDPR / data residencyAlignment / frameworkAWS provides DPA + enablers; no independent GDPR certification; customer owns workload controls
NIST SP 800-53 / 800-171Alignment / frameworkAudit Manager framework support
CJISAlignment / frameworkArchitectural enablers

Language precision (these are graded by auditors):

  • EKS is "HIPAA-eligible", never "HIPAA-compliant" — the customer signs a BAA and owns workload-level controls. "HIPAA-compliant" implies an attestation AWS does not provide.
  • FedRAMP Moderate ≠ High. Moderate = commercial regions; High = GovCloud only. Promising High in commercial regions is a guaranteed audit failure.
  • For alignment/framework regimes (GDPR, NIST, CJIS), AWS provides enablers but no independent attestation — say so explicitly.

Per-regime quick guidance

  • HIPAA — confirm an active BAA first; enable all 5 control-plane log types for forensic depth; 6-year audit-log retention; CMK for EBS/S3/EFS holding PHI; Audit Manager HIPAA framework; download the HIPAA AOC from Artifact.
  • PCI-DSS — 1-year audit-log retention minimum; default-deny NetworkPolicy + Security Groups for Pods to segment cardholder-data namespaces; ECR Enhanced Scanning (Req 6 + 11) + quarterly ASV external pentest; Security Hub PCI-DSS pack; PCI AOC from Artifact.
  • FedRAMP — Moderate (commercial) vs High (GovCloud) is the first question; CMK for all data layers; VPC private endpoints to keep traffic on the AWS backbone; Audit Manager FedRAMP framework; confirm the authorizing agency for the customer's account.
  • GDPR — EU-region-only clusters + all data layers in EU; no cross-region replication outside the EU; EU-region CloudWatch/CloudTrail; download the DPA from Artifact; the customer owns Article-17 erasure, DPIAs, and breach notification (Articles 33-34).

Worked scenarios (decision shape, not copy-paste)

1 — HIPAA greenfield, open to AWS defaults

Bottlerocket + Pod Identity + Access Entries + PSA restricted + Kyverno + VPC CNI NetworkPolicy + Security Groups for Pods + ECR Enhanced Scanning + Cosign + GuardDuty for EKS + all 5 control-plane logs + CMK on PHI data layers + Audit Manager HIPAA framework. Confirm the BAA is active before anything else. 30/60/90: provision + enable logging/Audit Manager → onboard first PHI workload + validate Pod Identity/Access Entries/Kyverno/NetworkPolicy → HIPAA mock audit + remediate + pull HIPAA AOC.

2 — Vendor-OS mandate (RHEL), FedRAMP Moderate, federal

Layer 1 = custom CIS-hardened RHEL AMI on self-managed nodes via Image Builder (customer owns RHEL hardening + patch cycle), or ROSA if they want Red-Hat-managed OpenShift (separate product — defer to ROSA + Red Hat partner). Layers 2-7 identical to the canonical stack. FedRAMP nuance: Moderate = commercial regions; CMK for all data layers; VPC private endpoints. Surface Bottlerocket as the AWS-canonical alternative if the mandate is a support contract rather than specific RHEL features — without pushing past the mandate. Escalate if the customer needs FedRAMP High (GovCloud + partner).

3 — PCI-DSS existing-cluster hardening, audit in 4 months

Priority-ordered (not big-bang): Weeks 1-2 enable logging + GuardDuty + ECR scanning + Security Hub PCI pack + kube-bench baseline (non-disruptive). Weeks 3-6 aws-auth → Access Entries (change window), audit IRSA least-privilege. Weeks 7-10 PSA restricted (auditenforce), Kyverno PCI policies, default-deny NetworkPolicy + SGP on the cardholder-data namespace. Weeks 11-14 migrate AL2→AL2023/Bottlerocket (AL2 OS EOL June 30 2026). Weeks 15-16 Audit Manager PCI framework + remediate + pull PCI AOC. Map controls to PCI Requirements 2/6/7/8/10/11.

4 — GDPR / EU data residency

GDPR is alignment/framework — no AWS certification. Architecture: EKS + all data layers in EU regions only; no non-EU replication; EU-region logs; VPC endpoints to avoid egress via non-EU edges; AWS European Sovereign Cloud for highest assurance (escalate for availability). Standard 7-layer baseline otherwise. Customer owns Article-17 erasure, DPIAs, breach notification; AWS provides the DPA (Artifact).

5 — EKS Auto Mode for a compliance-sensitive workload

The crux: is a CIS-hardened custom AMI a hard regulatory requirement or an organizational preference? Auto Mode doesn't support custom AMIs (or Cilium) as of June 2026.

  • Hard requirement → Auto Mode not viable → Bottlerocket on self-managed Karpenter NodePools.
  • Preference → Auto Mode viable → lead with its reduced-permission node IAM (AmazonEKSWorkerNodeMinimalPolicy) as a HIPAA differentiator.
  • Most compliance-sensitive customers land on Bottlerocket + Karpenter as the compromise (immutable OS + custom-AMI control + consolidation). Layers 2-7 are identical regardless of the Layer-1 choice.

Escalate (compliance-specific)

First-time certification on a mission-critical regulated workload; XXL+ segment; FedRAMP High/GovCloud; Top Secret/Secret (out of scope); EKS Anywhere/Hybrid Nodes inside a FedRAMP boundary; multi-tenant SaaS with cross-tenant PHI/cardholder/federal isolation; customer-vs-auditor disagreement on AWS-managed-control acceptability; written legal commitments beyond Artifact; or any claim you cannot ground in an AWS-published source.

Sources