Module 08 · Multi-Cloud Security Curriculum
Cloud Compliance, Risk & Governance
~60 minutes covering ISO 27001, SOC 2, PCI-DSS, GDPR, HIPAA, FedRAMP, CSA CCM, cloud risk assessment, and cloud governance tooling across AWS, Azure, and GCP.
20
Interview Q&As
25
MCQ Questions
4
Simulations
8
Curriculum Hours
Topics Covered
| Area | Key Concepts |
|---|---|
| Compliance Frameworks | ISO 27001/27017, SOC 2, PCI-DSS v4, GDPR, HIPAA, FedRAMP |
| Control Mapping | CSA CCM v4, CIS Benchmarks, NIST 800-53 |
| Cloud Risk | Risk assessment, risk register, cloud-specific risks, AWS WAF Tool |
| Cloud Governance (AWS) | AWS Organizations, Control Tower, SCPs, Guardrails |
| Cloud Governance (Azure) | Management Groups, Azure Policy, Blueprints, Regulatory Compliance |
| Cloud Governance (GCP) | Resource Hierarchy, Org Policies, Asset Inventory |
💡 Compliance knowledge is critical for cloud security architect and GRC roles. Know which framework applies to which industry and be able to explain the difference between SOC 2 Type I and Type II.
Core Concepts · ~10 min
Compliance & Governance Fundamentals
Key Compliance Frameworks
| Framework | Scope | Key Requirement | Audit Type |
|---|---|---|---|
| ISO/IEC 27001 | Any org, global | ISMS implementation (Annex A controls) | Third-party certification (annual surveillance + 3yr recert) |
| SOC 2 Type II | SaaS/cloud providers | Trust Service Criteria: Security, Availability, Confidentiality, Privacy, Processing Integrity | CPA audit over 6-12 month period |
| PCI-DSS v4.0 | Payment card data | 12 requirements around CDE protection | QSA assessment or SAQ (self-assessment) |
| GDPR | EU citizen data (global reach) | Consent, data rights, 72hr breach notification, DPO | Supervisory authority; fines up to €20M or 4% |
| HIPAA | US healthcare PHI | Privacy Rule, Security Rule, Breach Notification Rule; BAA required | HHS audits; civil/criminal penalties |
| FedRAMP | US federal agencies' cloud | NIST 800-53 controls; Low/Moderate/High baselines | 3PAO assessment; ATO from sponsoring agency |
SOC 2 Type I vs Type II
| Aspect | SOC 2 Type I | SOC 2 Type II |
|---|---|---|
| What it proves | Controls are suitably designed at a point in time | Controls operated effectively over a period (6–12 months) |
| Testing period | Single date/point in time | Extended observation period |
| Trust level | Lower — design only | Higher — operational effectiveness proven |
| Typical use | Early-stage startups; first audit | Mature orgs; enterprise customers require it |
PCI-DSS v4.0 — 12 Requirements Summary
| # | Requirement |
|---|---|
| 1 | Install and maintain network security controls (firewall) |
| 2 | Apply secure configurations to all system components (no vendor defaults) |
| 3 | Protect stored account data (encryption at rest) |
| 4 | Protect cardholder data in transit (TLS encryption) |
| 5 | Protect all systems against malware (AV/EDR) |
| 6 | Develop and maintain secure systems and software (patching, SDLC) |
| 7 | Restrict access to system components by business need to know |
| 8 | Identify users and authenticate access to system components (MFA) |
| 9 | Restrict physical access to cardholder data |
| 10 | Log and monitor all access to system components and cardholder data |
| 11 | Test security of systems and networks regularly (pentest, vulnerability scans) |
| 12 | Support information security with organizational policies and programs |
Cloud Governance Tools
| Cloud | Tool | Purpose |
|---|---|---|
| AWS | AWS Organizations + SCPs | Multi-account management; Service Control Policies enforce guardrails across all accounts |
| AWS | AWS Control Tower | Landing Zone automation; pre-built Guardrails; account vending machine |
| Azure | Management Groups | Hierarchical grouping of subscriptions for policy inheritance |
| Azure | Azure Policy | Enforce rules (deny, audit, deployIfNotExists) on Azure resources |
| GCP | Organization Policies | Constrain resource configurations org-wide (e.g., disable public IPs) |
| Multi | CSA CCM v4 | Maps 197 controls across 17 domains to ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST |
🎯 Key Distinctions: SOC 2 Type I = design at a point in time; Type II = operating effectiveness over time. ISO 27001 is a certification; SOC 2 is an attestation report. HIPAA requires a BAA with cloud providers. FedRAMP requires a 3PAO (Third-Party Assessment Organization).
Interview Q&A · ~20 min · 20 Questions
Interview Questions & Model Answers
1What is ISO 27001 and how does it apply to cloud environments?Medium▼
ISO/IEC 27001 is an international standard for Information Security Management Systems (ISMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. Organizations can be certified by an accredited third-party auditor.
Key components:
Key components:
- Annex A: 93 control categories (ISO 27001:2022) covering organizational, people, physical, and technological controls
- Risk-based: Organizations select controls based on a risk assessment, not all controls are mandatory
- Plan-Do-Check-Act (PDCA): Continuous improvement cycle
- ISO 27017: Additional controls specifically for cloud service providers and cloud customers
- ISO 27018: Controls for protection of PII in public cloud services
💡 AWS, Azure, and GCP are all ISO 27001/27017/27018 certified — customers can leverage the CSP's certification within the shared responsibility model.
2What is the difference between SOC 2 Type I and Type II?Easy▼
- SOC 2 Type I: Auditor assesses whether security controls are suitably designed at a single point in time. Tests control design only — not whether they actually worked over time.
- SOC 2 Type II: Auditor assesses whether controls operated effectively over an observation period (typically 6–12 months). Much stronger assurance — proves controls actually worked.
Trust Service Criteria (TSC): Security (required), Availability, Confidentiality, Privacy, Processing Integrity (optional — chosen based on scope).
💡 A SOC 2 report is NOT public — it's shared under NDA with customers. A SOC 3 is the public version (high-level summary only).
3What are the 12 requirements of PCI-DSS?Hard▼
PCI-DSS (Payment Card Industry Data Security Standard) v4.0 has 12 requirements:
- Install and maintain network security controls (firewalls)
- Apply secure configurations (no vendor defaults)
- Protect stored account data (encrypt at rest)
- Protect cardholder data in transit (TLS)
- Protect all systems against malware (AV/EDR)
- Develop and maintain secure systems and software (patching, SDLC)
- Restrict access by business need (least privilege)
- Identify users and authenticate (strong passwords, MFA)
- Restrict physical access to cardholder data
- Log and monitor all access (audit logs)
- Test security regularly (penetration testing, vulnerability scans)
- Support information security with organizational policies
💡 The Cardholder Data Environment (CDE) is the scope of PCI-DSS. Reducing CDE scope (via tokenization, network segmentation) reduces the compliance burden. Tokenization replaces PANs with tokens, keeping card data out of your systems entirely.
4What is cardholder data environment (CDE) and how is it scoped?Hard▼
The Cardholder Data Environment (CDE) is the set of people, processes, and technology that store, process, or transmit cardholder data (Primary Account Number, cardholder name, expiry, CVV) or that are connected to systems that do.
All PCI-DSS requirements apply within the CDE. Reducing CDE scope is the most effective way to reduce PCI compliance burden:
All PCI-DSS requirements apply within the CDE. Reducing CDE scope is the most effective way to reduce PCI compliance burden:
- Tokenization: Replace the PAN with a non-sensitive token. The real PAN is stored in a token vault (often a third-party payment processor). Your systems only ever see the token — dramatically reducing scope.
- Network segmentation: Isolate CDE from non-CDE systems using firewalls, VLANs, or separate cloud accounts. Systems that cannot reach the CDE are out of scope.
- Use a PCI-certified payment processor: Stripe, Braintree, Adyen handle the CDE entirely — you redirect users to their hosted payment page.
💡 If you can avoid touching card data entirely (redirect to a payment page), you can potentially qualify for the simplest PCI self-assessment questionnaire (SAQ-A) with minimal controls.
5What is GDPR and how does it affect cloud deployments?Medium▼
GDPR (General Data Protection Regulation) is EU law governing how personal data of EU/EEA residents is collected, stored, processed, and transferred. It applies to any organization worldwide that processes EU citizen data.
Cloud-specific implications:
Cloud-specific implications:
- Data residency: Must understand where data is stored (AWS region, Azure datacenter). Some GDPR interpretations require EU data to stay in EU.
- Data transfers: Transferring EU personal data outside EU/EEA requires safeguards: Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules
- DPA with CSP: Must have a Data Processing Agreement (DPA) with your cloud provider — AWS, Azure, GCP all provide DPAs
- Breach notification: Must notify supervisory authority within 72 hours of discovering a personal data breach
- Data subject rights: Right of access, rectification, erasure (right to be forgotten), portability, restriction, objection — must be technically implementable
💡 A key question in cloud architecture reviews: "Which regions will data be stored in?" If EU user PII is involved, ensure it stays in EU regions and replication doesn't cross to non-adequate countries.
6What is a Business Associate Agreement (BAA) in HIPAA?Medium▼
HIPAA (Health Insurance Portability and Accountability Act) requires that covered entities (hospitals, insurers, healthcare providers) sign a Business Associate Agreement (BAA) with any vendor or partner (Business Associate) that handles Protected Health Information (PHI) on their behalf.
A BAA is a legal contract that:
A BAA is a legal contract that:
- Defines how the BA will safeguard PHI
- Specifies permitted uses and disclosures of PHI
- Requires the BA to report security incidents and breaches
- Ensures the BA implements HIPAA Security Rule safeguards
- AWS, Azure, and GCP all offer BAAs for HIPAA-eligible services
- Not all cloud services are HIPAA-eligible — AWS has a specific list of HIPAA-eligible services
- Without a signed BAA, you cannot store PHI in that cloud service — period
💡 If a customer says they're in healthcare, your first question should be: "Have you signed BAAs with your cloud providers for all services touching PHI?" Missing BAA = automatic HIPAA violation.
7What is FedRAMP and who needs it?Hard▼
FedRAMP (Federal Risk and Authorization Management Program) is a US government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.
Who needs it: Any cloud service provider (CSP) that wants to sell to US federal government agencies MUST obtain FedRAMP authorization. Without it, agencies cannot use the service to process government data.
Process:
Who needs it: Any cloud service provider (CSP) that wants to sell to US federal government agencies MUST obtain FedRAMP authorization. Without it, agencies cannot use the service to process government data.
Process:
- Security baselines: Low, Moderate, High (based on NIST 800-53 control levels)
- 3PAO: Third-Party Assessment Organization performs the security assessment
- ATO: Authorization to Operate — issued by the sponsoring agency or FedRAMP PMO (Joint Authorization Board)
- Continuous monitoring: Monthly vulnerability scans, annual assessments, ongoing reporting
💡 FedRAMP authorization can take 12-24 months and cost millions — it's a significant barrier to entry that provides a competitive moat once achieved.
8What is the CSA Cloud Controls Matrix (CCM)?Medium▼
The CSA Cloud Controls Matrix (CCM) v4 is a cybersecurity control framework developed by the Cloud Security Alliance (CSA) specifically for cloud environments. It contains 197 control objectives organized across 17 domains (e.g., Identity & Access Management, Data Security, Infrastructure & Virtualization Security).
Primary value: CCM maps each control to multiple compliance frameworks simultaneously:
Primary value: CCM maps each control to multiple compliance frameworks simultaneously:
- ISO/IEC 27001:2013
- SOC 2 Trust Service Criteria
- PCI-DSS v3.2.1
- HIPAA
- NIST 800-53
- GDPR
💡 When a customer asks "Do you comply with ISO 27001 AND SOC 2 AND PCI-DSS?" you can use the CCM as a unified framework to demonstrate all three simultaneously without separate control sets.
9What is the difference between compliance and security?Easy▼
This is a critical distinction often tested in interviews:
- Compliance means meeting the minimum requirements of a specific regulation or standard at a point in time. It's binary: compliant or not. It looks backward (did we meet the standard during the audit period?).
- Security is the ongoing practice of identifying and mitigating risks to protect systems and data. It looks forward — is the organization resilient against emerging threats?
- An org can pass a PCI-DSS audit but still be breached through an unscoped system the next day
- An org may have excellent security practices that don't map to a specific compliance framework
💡 This is a gold-standard interview answer. Show that you understand compliance is necessary but insufficient — and that you think about security outcomes, not just checkbox ticking.
10What is AWS Control Tower?Medium▼
AWS Control Tower is a managed service that automates the setup of a multi-account AWS environment (Landing Zone) following AWS best practices. It provides:
- Landing Zone: Pre-configured multi-account structure (Management account, Log Archive account, Audit account)
- Guardrails: Pre-built governance rules — Mandatory (always enforced), Strongly Recommended, Elective. Implemented as SCPs and AWS Config Rules.
- Account Factory: Account vending machine — provision new accounts with security baseline automatically
- Dashboard: Compliance status of all accounts in one view
- Every new account automatically gets centralized logging (CloudTrail to Log Archive), IAM baseline, and mandatory guardrails
- Prevents non-compliant account configurations from day 1
- Scales governance to hundreds of accounts
💡 Control Tower sits on top of AWS Organizations + SCPs + Config + CloudTrail. You can use these primitives directly, but Control Tower orchestrates them with opinionated best-practice defaults.
11What is the shared responsibility model in the context of audits?Hard▼
In cloud compliance audits, responsibility is split between what the Cloud Service Provider (CSP) covers and what the customer must demonstrate:
What the CSP provides (their responsibility):
What the customer must demonstrate:
What the CSP provides (their responsibility):
- SOC 2 Type II reports for their infrastructure
- ISO 27001 / 27017 / 27018 certifications
- FedRAMP authorizations (for eligible services)
- PCI-DSS attestations (Attestation of Compliance / AOC)
What the customer must demonstrate:
- IAM configuration (who has access to what)
- Data encryption configuration
- Logging and monitoring setup
- Application-level controls
- Security policies and training
- Incident response procedures
💡 AWS, Azure, and GCP all have compliance portals where you can download their audit reports (SOC 2, ISO certs) to include in your own audit evidence packages.
12What is a cloud risk assessment and how do you conduct one?Hard▼
A cloud risk assessment identifies, analyzes, and evaluates risks to cloud assets to prioritize mitigation efforts. Process:
- Asset Inventory: What cloud services, accounts, regions, and data types are in scope?
- Threat Identification: What threats are relevant? (Misconfiguration, credential theft, insider threat, CSP outage, etc.)
- Vulnerability Assessment: What weaknesses exist? (CSPM findings, missing controls, over-privilege)
- Risk Analysis: Likelihood × Impact = Risk Level for each threat/vulnerability pair
- Risk Register: Document all risks with owner, likelihood, impact, current controls, residual risk
- Risk Treatment: Accept, Mitigate, Transfer (cyber insurance), or Avoid each risk
- Review Cycle: Reassess periodically or after significant changes
💡 Use AWS Well-Architected Tool (free) — answer questions about your workload and get an automated risk report with prioritized improvement recommendations across the Security, Reliability, Performance, Cost, and Sustainability pillars.
13What is a Landing Zone in cloud governance?Medium▼
A Landing Zone is a pre-configured, secure, multi-account cloud environment that provides a governance foundation for workloads. It establishes guardrails, accounts structure, networking, logging, and identity before any workloads are deployed — ensuring everything built on top starts from a secure baseline.
Typical Landing Zone components:
Typical Landing Zone components:
- Account structure: Management account, Security/Audit account, Log Archive account, Sandbox accounts, Production accounts (in separate OUs)
- Networking: Hub VPC, shared services, DNS, Direct Connect/VPN connectivity
- Security baseline: CloudTrail in all regions, Config rules, Security Hub enabled, GuardDuty enabled
- IAM: SSO setup, federated identity, break-glass accounts
- Compliance: SCPs enforcing guardrails across all accounts
💡 The "Account Vending Machine" is part of Landing Zone automation — when a team needs a new AWS account, it's provisioned automatically with all security baselines pre-applied, instead of manually configured.
14What are AWS Service Control Policies (SCPs)?Medium▼
SCPs are policy documents attached to AWS Organizations OUs (Organizational Units) or accounts that define the maximum permissions any IAM identity in those accounts can have — regardless of what IAM policies grant.
Key characteristics:
Key characteristics:
- SCPs do NOT grant permissions — they set ceilings (guardrails). Actual permissions still require IAM policies.
- Applied hierarchically: Management Account → OUs → Member Accounts → IAM identities
- Cannot restrict the Management (root) account itself
- Deny access to non-approved AWS regions:
Deny * unless region in [us-east-1, eu-west-1] - Prevent disabling CloudTrail:
Deny cloudtrail:StopLogging - Require MFA for sensitive actions:
Deny DeleteBucket unless MFA is present - Prevent leaving the Organization
- Restrict to approved services only (allowlist)
💡 SCPs affect ALL identities in the account including account root user (with the exception of the management account). This makes them a very powerful preventive control for organizational governance.
15What is COBIT 2019 and how does it relate to cloud governance?Hard▼
COBIT (Control Objectives for Information and Related Technologies) 2019 is a governance framework for enterprise IT published by ISACA. It provides a comprehensive framework for IT governance and management across five governance objectives: Evaluate, Direct, Monitor (Board-level) and Align, Plan, Organize, Build, Acquire, Implement, Deliver, Service, Support, Monitor, Evaluate (Management-level).
Cloud relevance:
Cloud relevance:
- Provides governance processes for cloud strategy decisions (make vs buy, multi-cloud vs single cloud)
- Defines IT risk management processes applicable to cloud risk assessment
- Maps to ISO 38500 (IT Governance standard)
- Used by GRC teams and CIOs to align IT governance with business objectives
- COBIT = IT governance (broader than security)
- ISO 27001 = information security management
- NIST CSF = cybersecurity risk management framework
💡 For most cloud security roles, NIST CSF and ISO 27001 are more directly relevant day-to-day. COBIT matters more for CISM/CRISC-level governance and board reporting.
16What is the difference between ISO 27001 and ISO 27017?Medium▼
- ISO/IEC 27001: The main ISMS standard. Framework for establishing, implementing, and maintaining an information security management system. Certifiable. Applies to all organizations.
- ISO/IEC 27017: Code of Practice providing additional guidelines and controls specifically for cloud services — both for cloud service providers AND cloud customers. Not separately certifiable (extends 27001).
- ISO/IEC 27018: Code of Practice for protection of personally identifiable information (PII) in public cloud computing — the "cloud data privacy" standard.
💡 Major CSPs (AWS, Azure, GCP) are certified to ISO 27001 AND compliant with 27017 and 27018. You can find their certificates on their compliance portals.
17What is a Standard Contractual Clause (SCC) under GDPR?Hard▼
Standard Contractual Clauses (SCCs) are pre-approved model contract clauses published by the European Commission that provide legal safeguards for transferring personal data from the EU/EEA to third countries (countries without an EU adequacy decision).
Why needed:
Why needed:
- GDPR restricts transfer of EU personal data to countries outside the EU/EEA unless adequate protection exists
- Only a handful of countries have adequacy decisions (UK, Japan, Canada, etc.)
- For transfers to the US (where most cloud providers are based): No adequacy decision exists post-Schrems II (2020) — SCCs are the primary mechanism
- AWS, Azure, GCP include SCCs in their Data Processing Agreements (DPAs)
- Customer must still conduct a Transfer Impact Assessment (TIA) to verify SCCs provide sufficient protection
💡 Post-Schrems II (2020 ECJ ruling that invalidated Privacy Shield), SCCs + supplementary measures (encryption, pseudonymization) are the standard mechanism for EU→US cloud data transfers.
18What is the AWS Well-Architected Tool?Easy▼
The AWS Well-Architected Tool is a free AWS service (available in the AWS Console) that helps you review your cloud workloads against AWS best practices across six pillars:
- Operational Excellence
- Security (identity, detection, infrastructure protection, data protection, incident response)
- Reliability
- Performance Efficiency
- Cost Optimization
- Sustainability
- You answer a series of questions about your workload architecture
- The tool identifies high-risk issues (HRIs) and medium-risk issues (MRIs)
- Provides prioritized recommendations with links to detailed guidance
- Generates a PDF report suitable for sharing with leadership
💡 AWS Partners can also use the Well-Architected Tool to run formal reviews with customers — it's a key tool for AWS consulting engagements.
19How do you map controls across multiple compliance frameworks simultaneously?Hard▼
Multi-framework control mapping (also called "compliance as code" or unified GRC) avoids duplicating work for each framework. Approaches:
- CSA CCM as a meta-framework: CCM maps 197 controls to ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST. Implement controls once, demonstrate compliance to many.
- GRC platforms: Drata, Vanta, Secureframe, ServiceNow GRC — automate evidence collection, map controls to frameworks, provide real-time compliance dashboards
- Control families: Group similar requirements (e.g., "MFA for privileged accounts" satisfies: ISO 27001 A.9.4, SOC 2 CC6.1, PCI-DSS Req 8, NIST 800-53 IA-5). Implement once, map to all.
- NIST 800-53 as a superset: NIST 800-53 is one of the most comprehensive control sets — mapping to it effectively covers most other frameworks
💡 Tools like Vanta integrate directly with AWS, GitHub, Jira, etc. to automatically collect evidence (e.g., "CloudTrail is enabled" → satisfies ISO 27001 A.12.4 + SOC 2 CC7.2 + PCI-DSS Req 10).
20What is Azure Policy and how is it used for cloud governance?Medium▼
Azure Policy is a governance service that allows you to create, assign, and manage policies that enforce specific rules on Azure resources — ensuring resources remain compliant with organizational standards.
Policy effects:
Policy effects:
- Deny: Prevents non-compliant resource creation/modification
- Audit: Flags non-compliant resources without blocking (good for assessment)
- DeployIfNotExists: Automatically deploys a related resource if it doesn't exist (e.g., auto-enable diagnostics on VMs)
- Modify: Adds/replaces properties on non-compliant resources
- Policy Initiatives (Policy Sets): Group related policies for a compliance framework (built-in: CIS, NIST, ISO 27001, PCI-DSS)
- Regulatory Compliance Dashboard: Visual compliance status mapped to CIS, NIST, ISO 27001, PCI-DSS
- Remediation tasks: Fix existing non-compliant resources automatically
💡 Use Audit first to understand your current compliance posture, then switch to Deny once you've remediated existing violations. Never start with Deny in a live environment — you might block legitimate resources.
MCQ Quiz · ~15 min · 25 Questions
Multiple Choice Questions
Progress:
0 / 25
Simulation 1 · Compliance
Compliance Framework Matcher
Match each scenario to the most applicable compliance framework.
Simulation 2 · PCI-DSS
PCI-DSS Requirement Mapper
Match each description to the correct PCI-DSS requirement number (1–12).
Simulation 3 · Cloud Governance
Cloud Governance Tool Matcher
Match each governance task to the correct cloud tool.
Simulation 4 · Risk Management
Cloud Risk Register Builder
Select a risk, set Likelihood and Impact, and build a mini risk register. The risk matrix calculates your risk level automatically.
RiskLikelihoodImpactRisk Level
Risk Matrix: High+High=Critical | High+Medium or Medium+High=High | Medium+Medium=Medium | Any Low=Low
🎉
Module 08 Complete!
MCQ Score: