Browse AWS Certification Guides

CLF-C02 Governance, Compliance, Logging and Security Services Guide

April 1, 2026

Study CLF-C02 Governance, Compliance, Logging and Security Services: key concepts, common traps, and exam decision cues.

On this page

This is the part of CLF-C02 where similar-sounding AWS services start to blur together. The exam expects broad recognition, not specialist incident-response skill. You need to know which service provides compliance documents, which one records API actions, which one monitors metrics, and which ones help detect or summarize security issues.

Compliance: Meeting external or internal rules, standards, or control requirements.

Audit trail: Record of what actions happened, by whom, and when.

Keep these service lanes separate

Service Strongest CLF-C02 mental label
AWS Artifact compliance reports and agreements
AWS CloudTrail records API activity and account actions
Amazon CloudWatch monitoring, metrics, logs, alarms
AWS Config configuration tracking and rule evaluation
AWS Security Hub aggregated security findings view
Amazon GuardDuty threat detection
AWS Shield DDoS protection
Amazon Inspector vulnerability and exposure assessment

If a question asks where to find audit evidence about AWS actions, CloudTrail is stronger than CloudWatch. If it asks for compliance reports from AWS, Artifact is the lane.

Compliance versus security operations

CLF-C02 wants you to see that these are related but different:

  • Compliance resources: prove, document, or assess controls
  • Logging and monitoring: record or observe what is happening
  • Threat detection: flag suspicious behavior
  • Protection controls: help block or reduce specific threat types

Encryption and governance ideas

The exam also expects broad understanding of:

  • encryption at rest versus in transit
  • the fact that different services have different compliance and control capabilities
  • the idea that governance includes visibility, auditability, and policy enforcement, not only blocking attacks

A small classification example

1Need: "Show me AWS compliance documentation and audit reports."
2Strong lane: AWS Artifact
3
4Need: "Show me which API calls happened in the account."
5Strong lane: AWS CloudTrail

These two asks both sound like “security information,” but they point to different services.

Decision order that usually wins

Work through these questions in this order:

  1. Is the need about evidence, activity history, monitoring, threat detection, or protection?
  2. If it is about AWS-generated compliance reports or agreements, choose AWS Artifact.
  3. If it is about who did what in the account through API activity, choose AWS CloudTrail.
  4. If it is about metrics, logs, and alarms, choose Amazon CloudWatch.
  5. If it is about suspicious behavior or summarized security findings, decide between GuardDuty and Security Hub instead of reaching for a generic “security” answer.

Common traps

  • using CloudWatch as if it were the same as CloudTrail
  • assuming Security Hub itself is the same thing as DDoS protection
  • treating Artifact as a runtime monitoring service
  • forgetting that governance and compliance questions often want evidence and visibility, not just blocking controls

Harder scenario question

An auditor asks a company to provide AWS-generated compliance reports and agreements relevant to regulatory review. Which AWS service is the strongest first fit?

  • A. AWS Artifact
  • B. Amazon GuardDuty
  • C. AWS Shield
  • D. Amazon Route 53

Correct answer: A. Artifact is the AWS service specifically used to access compliance reports and agreements. The other answers are security or networking services, not compliance-document sources.

Quiz

Loading quiz…
Revised on Sunday, May 10, 2026
2.2 Identity, Access & Root-Account Protection