Skip to main content
Multi-CloudSecurityadvanced

Compliance Frameworks Across Clouds

Map SOC 2, HIPAA, PCI-DSS, and FedRAMP across AWS, Azure, GCP with implementation guides and continuous monitoring.

CloudToolStack Team25 min readPublished Mar 14, 2026

Prerequisites

  • Understanding of compliance framework basics
  • Familiarity with cloud security fundamentals

Cloud Compliance Landscape

Compliance frameworks establish security and privacy requirements that organizations must meet, either by regulation (HIPAA, PCI-DSS, FedRAMP) or by industry best practice (SOC 2, ISO 27001). In multi-cloud environments, compliance becomes more complex because you must ensure each cloud provider meets the framework requirements and that your architecture maintains compliance across all providers simultaneously.

The good news is that all major cloud providers have achieved certifications for the most common compliance frameworks. However, the shared responsibility model means the cloud provider is responsible for the security of the cloud (infrastructure, data centers, physical security), while you are responsible for security in the cloud (data encryption, access control, network configuration, application security).

This guide maps major compliance frameworks across AWS, Azure, GCP, and OCI, explains the shared responsibility boundaries for each, and provides practical implementation guidance for SOC 2, HIPAA, PCI-DSS, and FedRAMP across clouds.

Compliance vs Security

Compliance is a subset of security. Meeting compliance requirements does not make you secure; it means you meet a minimum bar defined by the framework. A truly secure environment goes beyond compliance with defense-in-depth, continuous monitoring, and proactive threat hunting. Use compliance frameworks as a baseline, not a ceiling.

Framework Coverage by Provider

FrameworkAWSAzureGCPOCI
SOC 2 Type IIYesYesYesYes
ISO 27001YesYesYesYes
HIPAABAA availableBAA availableBAA availableBAA available
PCI-DSS Level 1YesYesYesYes
FedRAMP HighGovCloudAzure GovernmentAssured WorkloadsGovernment Cloud
GDPRDPA availableDPA availableDPA availableDPA available
CSA STARLevel 2Level 2Level 2Level 2

SOC 2 Implementation

SOC 2 (System and Organization Controls 2) evaluates an organization against five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. For cloud environments, SOC 2 requires demonstrating controls for access management, encryption, monitoring, incident response, and change management.

SOC 2 Controls Mapping

SOC 2 CriteriaAWS ImplementationAzure ImplementationGCP Implementation
Access control (CC6.1)IAM, SCPs, MFAEntra ID, RBAC, Conditional AccessIAM, Org Policies, BeyondCorp
Logging (CC7.2)CloudTrail, ConfigActivity Log, Diagnostic SettingsAudit Logs, Access Transparency
Encryption (CC6.7)KMS, ACM, S3 encryptionKey Vault, disk encryptionCloud KMS, CMEK
Monitoring (CC7.1)GuardDuty, Security HubDefender for Cloud, SentinelSecurity Command Center
Change management (CC8.1)Config Rules, CloudFormationAzure Policy, BlueprintsOrg Policies, Terraform
bash
# AWS: Enable compliance monitoring with Security Hub
aws securityhub enable-security-hub \
  --enable-default-standards

# Enable SOC 2 standard
aws securityhub batch-enable-standards \
  --standards-subscription-requests '[
    {"StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}
  ]'

# Azure: Enable Defender for Cloud with regulatory compliance
az security pricing create --name VirtualMachines --tier Standard
az security auto-provisioning-setting update --name default --auto-provision On

# GCP: Enable Security Command Center
gcloud scc organizations update-settings \
  --organization=ORG_ID \
  --enable-modules=SECURITY_HEALTH_ANALYTICS,WEB_SECURITY_SCANNER

HIPAA Implementation

HIPAA (Health Insurance Portability and Accountability Act) requires safeguards for Protected Health Information (PHI). In cloud environments, you must sign a Business Associate Agreement (BAA) with each cloud provider, use only HIPAA-eligible services, enable encryption at rest and in transit, implement access controls and audit logging, and establish incident response procedures.

bash
# AWS HIPAA: Use only eligible services and enforce encryption
# Create an SCP to restrict to HIPAA-eligible services
cat > hipaa-scp.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "NotAction": [
        "ec2:*", "s3:*", "rds:*", "lambda:*", "dynamodb:*",
        "kms:*", "cloudtrail:*", "config:*", "cloudwatch:*",
        "iam:*", "sts:*", "elasticloadbalancing:*",
        "sqs:*", "sns:*", "secretsmanager:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": ["us-east-1", "us-west-2"]
        }
      }
    }
  ]
}
EOF

# Enforce S3 encryption for PHI
aws s3api put-bucket-encryption \
  --bucket phi-data-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "alias/phi-key"}, "BucketKeyEnabled": true}]
  }'

# Block public access on PHI buckets
aws s3api put-public-access-block \
  --bucket phi-data-bucket \
  --public-access-block-configuration '{
    "BlockPublicAcls": true, "IgnorePublicAcls": true,
    "BlockPublicPolicy": true, "RestrictPublicBuckets": true
  }'

PCI-DSS Implementation

PCI-DSS (Payment Card Industry Data Security Standard) applies to any organization that stores, processes, or transmits cardholder data. PCI-DSS has 12 requirements grouped into six categories. Cloud environments must implement network segmentation, access controls, encryption, vulnerability management, monitoring, and security testing.

PCI-DSS Requirements Mapping

PCI RequirementCloud ImplementationTools
1. Network segmentationVPC/VNet isolation, security groups, NACLsVPC, NSG, Firewall Rules
2. Secure configurationsHardened AMIs, CIS benchmarks, policy-as-codeConfig Rules, Azure Policy, Org Policy
3. Protect stored dataEncryption at rest, key management, tokenizationKMS, Key Vault, Cloud KMS
4. Encrypt transmissionTLS 1.2+, VPN, private connectivityACM, App Gateway, Managed SSL
7. Restrict accessLeast privilege IAM, MFA, just-in-time accessIAM, RBAC, Conditional Access
10. Track and monitorCentralized logging, SIEM integrationCloudTrail, Activity Log, Audit Logs
11. Test securityVulnerability scanning, penetration testingInspector, Defender, SCC

FedRAMP and Government Cloud

FedRAMP (Federal Risk and Authorization Management Program) provides a standardized approach to security assessment and authorization for cloud services used by U.S. federal agencies. FedRAMP has three impact levels: Low, Moderate, and High. Each cloud provider offers dedicated government regions that meet FedRAMP requirements.

ProviderGovernment RegionFedRAMP LevelIL (Impact Level)
AWSGovCloud (US-East, US-West)HighIL2, IL4, IL5
AzureAzure Government (Virginia, Texas, Arizona)HighIL2, IL4, IL5, IL6
GCPAssured Workloads (US regions)HighIL2, IL4, IL5
OCIGovernment Cloud (Ashburn, Phoenix, Chicago)HighIL2, IL4, IL5

Continuous Compliance Monitoring

hcl
# AWS Config Rules for continuous compliance
resource "aws_config_config_rule" "encrypted_volumes" {
  name = "encrypted-volumes"
  source {
    owner             = "AWS"
    source_identifier = "ENCRYPTED_VOLUMES"
  }
}

resource "aws_config_config_rule" "root_mfa" {
  name = "root-account-mfa-enabled"
  source {
    owner             = "AWS"
    source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
  }
}

resource "aws_config_config_rule" "s3_encryption" {
  name = "s3-bucket-server-side-encryption-enabled"
  source {
    owner             = "AWS"
    source_identifier = "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
  }
}

# Azure Policy for compliance
resource "azurerm_policy_assignment" "hipaa" {
  name                 = "hipaa-hitrust"
  scope                = azurerm_management_group.main.id
  policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab"
  display_name         = "HIPAA HITRUST 9.2"
}

# GCP Organization Policy for compliance
resource "google_organization_policy" "restrict_regions" {
  org_id     = var.org_id
  constraint = "constraints/gcp.resourceLocations"

  list_policy {
    allow {
      values = ["in:us-locations"]
    }
  }
}

Multi-Cloud Compliance Checklist

AreaRequirementHow to Verify
IdentityMFA everywhere, least privilege, regular access reviewsIAM Access Analyzer, Entra Reviews, IAM Recommender
EncryptionAt rest (AES-256), in transit (TLS 1.2+), key rotationConfig Rules, Azure Policy, SCC findings
LoggingAll management events, data access for sensitive resourcesCloudTrail, Activity Log, Audit Logs
NetworkPrivate endpoints, no public databases, WAFSecurity groups audit, NSG flow logs
Data residencyData stays in approved regionsSCPs, Azure Policy, Org Policies
Incident responseDocumented plan, regular drills, automated alertsAnnual tabletop exercises

Use Cloud-Native Compliance Tools

AWS Security Hub, Azure Defender for Cloud, and GCP Security Command Center all provide compliance dashboards that continuously assess your environment against common frameworks. Enable these services and review the compliance scores weekly. For multi-cloud visibility, consider third-party CSPM tools like Prisma Cloud, Wiz, or Orca that provide a unified compliance view across all providers.

Multi-Cloud Security Posture GuideAWS Security Hub Overview

Key Takeaways

  1. 1All major clouds have SOC 2, ISO 27001, HIPAA BAA, PCI-DSS Level 1, and FedRAMP certifications.
  2. 2The shared responsibility model means you must implement customer-side controls for compliance.
  3. 3HIPAA requires BAAs, eligible services only, encryption, access controls, and audit logging.
  4. 4Continuous compliance monitoring with Security Hub, Defender for Cloud, and SCC automates assessment.

Frequently Asked Questions

Does using a certified cloud provider make me compliant?
No. Cloud provider certifications cover the infrastructure layer. You are responsible for security in the cloud: data encryption, access controls, network configuration, and application security.
Which compliance framework should I start with?
SOC 2 for SaaS companies. HIPAA for healthcare data. PCI-DSS for payment processing. FedRAMP for federal agencies.

Written by CloudToolStack Team

Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.

Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.