Compliance and regulatory standards — AIF-C01
AWS AIF-C01: compliance standards, data governance mechanisms, and the shared-responsibility boundary that exam scenarios exploit.
WHAT IT IS
Compliance and regulatory standards are the external legal and industry requirements that govern how an organization collects, stores, processes, and protects data. Data governance is the internal framework — the processes, policies, and role assignments — that an organization uses to ensure its data practices align with those external requirements. In AWS terms, meeting a compliance obligation is the goal; data governance is the mechanism through which that goal is operationalized.
Mental model
Think of compliance as the rulebook handed to you from outside (regulators, auditors, laws), and data governance as the playbook your organization writes internally to follow that rulebook. You cannot hand the rulebook to AWS and consider the obligation fulfilled — your organization owns the playbook.
This distinction matters because AWS operates under a shared responsibility model. AWS publishes compliance reports and certifications for the infrastructure it controls ("security of the cloud"), but the customer is responsible for configuring services, classifying data, and applying access policies in ways that satisfy the customer's own regulatory obligations ("security in the cloud"). The laws and regulations applicable to your organization are explicitly listed by AWS as a factor that shapes customer responsibility — not AWS responsibility.
When to use it
| Situation | Who owns the obligation | Governance lever |
|---|---|---|
| Physical data-center audit controls | AWS (inherited control) | None required from customer |
| Guest OS patching on an EC2 instance | Customer | Policy enforcement, patch management procedures |
| Classifying and restricting access to sensitive training data | Customer | Data governance: access policies, data stewards, centrally defined rules |
| Encryption options for data stored in S3 or DynamoDB | Customer | Customer selects and manages encryption; AWS provides the capability |
| Awareness and training programs | Shared control — each party in its own context | Customer governs its own workforce training |
COMMON MISCONCEPTION
The trap: candidates assume that because AWS holds compliance certifications (for the infrastructure it manages), those certifications automatically cover the workloads and data the customer runs on top of that infrastructure.
This is wrong. AWS compliance certifications apply to the infrastructure AWS controls. The customer's obligation to demonstrate compliance with privacy regulations, data-residency rules, or industry standards for their own data remains the customer's responsibility. AWS data governance guidance states that governance frameworks must "prevent unauthorized access by centrally defined policies" — that policy work belongs to the customer, not to AWS. Inheriting AWS's physical controls does not mean inheriting AWS's certifications for customer-controlled layers.
A related confusion: data governance is sometimes treated as purely a security tool. It is broader — it also determines "who can take what action, upon what data, using what methods," which means it directly shapes whether an organization can demonstrate regulatory compliance for data-access audits, not only whether data is encrypted.
How it shows up on the exam
Questions in this area typically ask candidates to identify which party (AWS or customer) is accountable for a compliance-related action in a described scenario, or to select the governance mechanism appropriate to a described regulatory requirement.
Candidates often confuse "AWS is certified/compliant" with "my workload is compliant." Scenarios that describe sensitive data handling, data classification, access control policies, or regulatory audit requirements are signals that the customer-side governance layer is being tested — not the AWS-managed infrastructure layer. Signal phrases to recognize: "regulatory requirement," "data residency," "access policy," "data classification," "audit controls for customer data," "privacy regulation."
The cognitive target is distinguishing inherited controls (physical/environmental, fully owned by AWS) from shared controls (patch management, configuration management, awareness and training — each party responsible in its own context) and customer-specific controls (data access policies, encryption choices, data classification).
Related concepts
Sources
Every claim on this page traces to the public exam blueprint and official documentation: