Cloud Compliance — SOC 2, ISO 27001 & HIPAA in the Cloud Guide
In this tutorial, you'll learn about Cloud Compliance. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud Compliance requires mapping regulatory controls to your cloud architecture, collecting evidence from provider and customer environments, and continuously monitoring for Compliance drift across SOC 2, ISO 27001, and HIPAA frameworks.
What You Will Learn
How each Compliance framework maps to cloud-specific controls, which services are in scope, and how to automate evidence collection using native cloud tools.
Why It Matters
Non-Compliance costs millions in fines and lost business. Cloud Compliance is complex because the provider and customer share responsibility for different controls. Understanding the boundary is essential for passing audits.
Real-World Use
A healthcare SaaS company on AWS achieves HIPAA Compliance by using only HIPAA-eligible services, signing a BAA with AWS, encrypting all PHI at rest and in transit, and logging every access to ePHI. CloudTrail provides the audit trail.
Compliance Responsibility Matrix
flowchart TD
subgraph Provider-Managed
P1[Physical Security]
P2[Infrastructure Security]
P3[Network Security]
P4[Hypervisor Security]
end
subgraph Customer-Managed
C1[Data Classification]
C2[Access Control]
C3[Application Security]
C4[Incident Response]
end
subgraph Shared
S1[Patch Management]
S2[Encryption Configuration]
S3[Monitoring & Logging]
end
style C1 fill:#f90,color:#fff
style C2 fill:#f90,color:#fff
style C3 fill:#f90,color:#fff
style C4 fill:#f90,color:#fff
SOC 2 in the Cloud
SOC 2 evaluates controls related to security, availability, processing integrity, confidentiality, and privacy. AWS, Azure, and GCP all have SOC 2 Type II reports available under NDA.
# AWS: Access SOC 2 reports via Artifact
aws artifact download \
--document-id soc2-type2 \
--download-directory ./compliance-docs
# Enable SOC 2 relevant controls in Security Hub
aws securityhub enable-security-hub \
--enable-standard-arn arn:aws:securityhub:us-east-1::standards/soc2/v/1.0.0
# Check SOC 2 compliance status
aws securityhub get-compliance-summary \
--standard-arn arn:aws:securityhub:us-east-1::standards/soc2/v/1.0.0
# Output:
# {
# "ComplianceStatus": {
# "Passed": 45,
# "Failed": 2,
# "Unknown": 3
# }
# }
ISO 27001 in the Cloud
ISO 27001 requires an Information Security Management System. Cloud providers hold ISO 27001 certifications. Customers must scope their ISMS to include cloud services.
# Azure: View compliance data for ISO 27001
az security compliance-assessment list \
--resource-group prod-rg \
--standard ISO27001
# Assign Azure Policy to enforce ISO 27001 controls
az policy assignment create \
--name iso-27001-sql-encryption \
--display-name "ISO 27001 SQL Encryption" \
--policy "SQL Managed Instance encryption at rest" \
--resource-group prod-rg
# List compliance results
az policy state list \
--policy-assignment iso-27001-sql-encryption \
--query "[].{ResourceId:resourceId, Compliance:complianceState}" \
--output table
# Output:
# ResourceId Compliance
# /subscriptions/.../sqlDatabases/prod-db NonCompliant
HIPAA in the Cloud
HIPAA requires a Business Associate Agreement with the cloud provider. Only HIPAA-eligible services may Process Protected Health Information.
# GCP: List HIPAA-eligible services
gcloud services list --available \
--filter 'name ~ "hipaa-eligible"' \
--format "value(config.name)"
# Enable audit logging for HIPAA compliance
gcloud logging buckets create hipaa-audit-bucket \
--location us-central1 \
--retention-days 365 \
--description "HIPAA audit log bucket"
# Create a log sink for HIPAA data access
gcloud logging sinks create hipaa-data-access \
bigquery.googleapis.com/projects/my-project/datasets/hipaa_audit \
--log-filter "protoPayload.methodName=~'datastore'"
Automated Compliance Monitoring
Use cloud native tools to continuously monitor Compliance. AWS Config, Azure Policy, and GCP Organization Policies check configurations against Compliance rules.
# AWS Config: Enable compliance rule for S3 encryption
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "s3-bucket-encryption",
"Source": {"Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"}
}'
# Check compliance results
aws configservice get-compliance-details-by-config-rule \
--config-rule-name s3-bucket-encryption \
--compliance-types NON_COMPLIANT
# Output:
# {
# "EvaluationResults": [{
# "ComplianceType": "NON_COMPLIANT", "# "ConfigRuleName": "s3-bucket-encryption"",
# "ResourceId": "my-public-bucket]
# }]
# }
Common Mistakes
- Assuming provider certification covers your workload: Provider SOC 2 or ISO 27001 certification does not extend to your applications and data configurations. Your scope is separate.
- Not signing a BAA for HIPAA workloads: AWS, Azure, and GCP require a signed Business Associate Agreement before you can store PHI. Without it, you are non-compliant.
- Ignoring data residency requirements: SOC 2 and HIPAA may require data to remain in specific regions. Use organization policies to restrict resource deployment to approved regions.
- No evidence collection automation: Manual evidence collection before an audit is stressful and error-prone. Automate evidence gathering with AWS Config, Azure Policy, and GCP SCC.
- Treating Compliance as a one-time event: Compliance is continuous. New resources are created daily. Continuous monitoring ensures every resource remains compliant.
Practice Questions
- What is the difference between SOC 2 Type I and SOC 2 Type II?
- How does the shared responsibility model apply to HIPAA Compliance?
- What is a Business Associate Agreement and why is it needed?
- How can AWS Config help maintain continuous Compliance?
- Why is data residency important for SOC 2 Compliance?
Challenge
Map SOC 2, ISO 27001, and HIPAA controls to a cloud architecture. For each framework, identify five controls that are customer-managed and demonstrate how you would implement them using cloud services. Write AWS Config rules, Azure Policy assignments, and GCP organization policies that automate evidence collection for at least two controls per framework.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro