Skip to content

Quiz: Chapter 58 -- Compliance Automation

Test your knowledge of compliance automation fundamentals, Policy-as-Code engines, continuous compliance monitoring, multi-framework harmonization, evidence collection automation, risk-based compliance, and audit preparation. This quiz spans easy, medium, and hard difficulty levels to validate readiness for real-world compliance-as-code implementations.

See also: Chapter 58 -- Compliance Automation & Continuous Assurance

Easy (5 questions)

1. Which open-source general-purpose policy engine uses the Rego language to express policy-as-code and is commonly deployed as a Kubernetes admission controller via Gatekeeper?

  • A) Chef InSpec
  • B) Open Policy Agent (OPA)
  • C) HashiCorp Sentinel
  • D) AWS Config Rules
Answer

B -- Open Policy Agent (OPA)

Open Policy Agent (OPA) is a CNCF graduated project that provides a unified policy language (Rego) and engine for expressing and enforcing policies across microservices, Kubernetes (via Gatekeeper), CI/CD pipelines, API gateways, and more. Rego is a declarative query language designed specifically for policy evaluation. Gatekeeper integrates OPA with Kubernetes as a validating admission webhook, rejecting non-compliant manifests at admission time. Refer to Chapter 58 Section 58.1.

2. What is the fundamental difference between continuous compliance monitoring and traditional point-in-time audits?

  • A) Continuous compliance only reviews logs once per year
  • B) Continuous compliance monitors control effectiveness in near real-time using automated evidence collection, whereas point-in-time audits sample controls on a scheduled basis (quarterly or annually)
  • C) Point-in-time audits produce machine-readable output while continuous compliance does not
  • D) They are functionally identical and only the name differs
Answer

B -- Continuous monitoring is near real-time with automation

Point-in-time audits sample controls at a scheduled moment (e.g., the last two weeks of Q4) and rely on manually collected evidence. Continuous compliance uses automated collectors, policy engines, and dashboards to evaluate controls every minute or on every change. This dramatically reduces the window of undetected drift and shifts evidence collection from a human-driven scramble to an always-on data stream. Refer to Chapter 58 Section 58.2.

3. Which AWS service provides continuous assessment of resource configurations against a defined set of managed or custom compliance rules?

  • A) AWS CloudTrail
  • B) Amazon GuardDuty
  • C) AWS Config
  • D) AWS Trusted Advisor
Answer

C -- AWS Config

AWS Config continuously records resource configurations and evaluates them against Config Rules (managed AWS rules or custom Lambda/Guard rules). Non-compliant resources are flagged on a dashboard and can trigger automatic remediation through SSM Automation documents. AWS Config is the primary policy-as-code enforcement layer for AWS resources and integrates with AWS Security Hub for aggregated compliance scoring. Refer to Chapter 58 Section 58.1.

4. In Kubernetes, which tool extends OPA to provide native admission control for validating cluster resources against policy?

  • A) Kyverno (only)
  • B) Gatekeeper
  • C) Istio
  • D) Falco
Answer

B -- Gatekeeper

Gatekeeper is the Kubernetes-native project that integrates OPA as a validating and mutating admission controller. Policies are defined via ConstraintTemplates (which wrap Rego) and Constraints (which parameterize the templates). Kyverno is an alternative policy engine that uses YAML instead of Rego, but Gatekeeper is specifically the OPA-based option. Refer to Chapter 58 Section 58.1.

5. What is the primary purpose of a compliance-as-code CI/CD gate?

  • A) To replace all human review of pull requests
  • B) To block or flag merges and deployments that would violate compliance requirements, moving detection left before production
  • C) To encrypt all source code at rest
  • D) To perform network penetration testing during builds
Answer

B -- Block non-compliant changes before production

Compliance-as-code gates evaluate infrastructure-as-code (Terraform, CloudFormation), container images, Kubernetes manifests, and application configurations at pull request time. Violations (e.g., public S3 buckets, missing encryption, privileged containers) fail the build and block the merge. This shifts compliance left, catches drift before it reaches production, and generates evidence automatically for auditors. Refer to Chapter 58 Section 58.3.

Medium (5 questions)

6. A CISO wants to reduce duplicate evidence collection across SOC 2, ISO 27001, and PCI-DSS audits. Which approach directly addresses this?

  • A) Hiring three separate audit firms
  • B) Multi-framework harmonization through a unified control catalog that maps each internal control to all applicable framework requirements, allowing a single evidence artifact to satisfy multiple audits
  • C) Running three parallel audits each quarter
  • D) Only pursuing one certification at a time
Answer

B -- Multi-framework harmonization

Frameworks like the Secure Controls Framework (SCF), NIST CSF crosswalks, and commercial GRC platforms (Drata, Vanta, Secureframe) maintain control-to-framework mappings. A single internal control such as "All production databases must be encrypted at rest" can simultaneously satisfy PCI-DSS 3.5, HIPAA 164.312(a)(2)(iv), SOC 2 CC6.1, and ISO 27001 A.10.1.1. Evidence collected once (KMS configuration, AWS Config rule status) feeds all audits. Refer to Chapter 58 Section 58.4.

7. Which regulation imposes a 72-hour breach notification requirement to supervisory authorities and heavily influences compliance automation for data processing controls?

  • A) SOX (Sarbanes-Oxley)
  • B) PCI-DSS
  • C) GDPR
  • D) FedRAMP Moderate
Answer

C -- GDPR

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. This tight window makes compliance automation critical: automated detection, scope assessment, and notification workflow triggering are essential to meet the deadline. PCI-DSS, SOX, and FedRAMP have different breach and reporting requirements but none with the same 72-hour supervisory clock. Refer to Chapter 58 Section 58.4.

8. An engineer writes an OPA Rego rule that evaluates Terraform plans and blocks any aws_s3_bucket resource without server-side encryption. At which stage of the pipeline does this check provide maximum value?

  • A) After deployment to production
  • B) During pull request validation, before merge, so the violation never reaches any environment
  • C) During the annual audit
  • D) Only during disaster recovery testing
Answer

B -- Pull request validation, before merge

The earliest viable detection point gives the most value. Catching encryption misconfiguration at PR time prevents it from ever being applied, avoids rework in lower environments, and provides immediate developer feedback. Tools like Conftest, Checkov, and Terraform Cloud Sentinel enable this pattern. Post-deployment detection (via AWS Config) is a valuable backstop but not primary defense. Refer to Chapter 58 Section 58.3.

9. A FedRAMP Moderate system must demonstrate continuous monitoring of all 323 NIST 800-53 rev5 Moderate baseline controls. Which automation pattern best supports this requirement?

  • A) Quarterly manual control reviews documented in Word
  • B) An OSCAL-based SSP with automated evidence collectors tied to each control, publishing a machine-readable continuous monitoring dashboard and monthly POA&M updates
  • C) Only performing penetration testing once per year
  • D) Disabling all FedRAMP controls to simplify operations
Answer

B -- OSCAL-based SSP with automated collectors

The Open Security Controls Assessment Language (OSCAL) is a NIST-developed, machine-readable format for security documentation (SSPs, SAPs, SARs, POA&Ms). FedRAMP is actively adopting OSCAL. Automated collectors map control implementations to evidence streams (AWS Config rules, vulnerability scans, access reviews), and continuous monitoring dashboards expose control status to the Authorizing Official. POA&M entries are generated and tracked automatically. Refer to Chapter 58 Section 58.5.

10. Which statement best describes risk-based compliance?

  • A) Ignoring low-risk controls completely
  • B) Prioritizing control testing frequency, depth, and remediation SLAs based on the likelihood and impact of control failure rather than treating every control equally
  • C) Only complying when convenient
  • D) Delegating all compliance decisions to auditors
Answer

B -- Prioritize based on likelihood and impact

Risk-based compliance acknowledges that not every control carries equal weight. A control protecting cardholder data (PCI 3.4) warrants more frequent testing and tighter SLAs than a control over marketing email retention. Risk scoring (likelihood x impact) drives testing cadence, evidence freshness requirements, and remediation deadlines. This aligns compliance investment with actual risk reduction. Refer to Chapter 58 Section 58.6.

Hard (5 questions)

11. An OPA Gatekeeper ConstraintTemplate enforces that all pods carry a costcenter label. During a surge, the platform team needs to allow a temporary exemption for pods in namespace incident-response-rt1.example.com. Which approach best preserves auditability?

  • A) Disable Gatekeeper cluster-wide for 24 hours
  • B) Add an excludedNamespaces entry in the Constraint spec, commit the change through PR review, record the rationale in the PR, and re-enable the control via a scheduled reversion PR with automated alerting on exemption expiration
  • C) Delete the ConstraintTemplate and rebuild later
  • D) Grant cluster-admin to all responders
Answer

B -- Scoped, PR-reviewed exemption with expiration

Auditable exceptions are a core compliance automation pattern. The exemption is scoped (only the incident namespace), peer-reviewed (PR), documented (PR body), time-bound (scheduled reversion), and monitored (alerting if the exemption outlives its plan). This contrasts with disabling controls cluster-wide (no scope) or ad-hoc kubectl edits (no audit trail). GRC teams accept this pattern because every element of the exemption is evidence. Refer to Chapter 58 Section 58.3.

12. During a SOC 2 Type II audit preparation, the team must demonstrate that user access reviews were performed every 90 days over the 12-month audit period. Which evidence-collection architecture most efficiently satisfies the auditor's sampling requests?

  • A) Asking managers to forward email confirmations into a shared mailbox
  • B) An automated pipeline that extracts identity and access data from IdP (e.g., Okta at okta.acme.example.com), generates quarterly review packages per application owner, records reviewer decisions (keep/revoke) with timestamps in an immutable store, and publishes a dashboard with control KPIs and links to raw evidence for each sample
  • C) Screenshotting admin consoles the week before the audit starts
  • D) Relying on the auditor to pull evidence directly from production systems
Answer

B -- Automated pipeline with immutable evidence store

The audit-ready architecture produces evidence as a byproduct of the control, not as an afterthought. Each quarterly review generates a signed, timestamped artifact (CSV + reviewer attestation + decision log) stored in an append-only bucket (e.g., S3 with Object Lock). The dashboard shows on-time completion rate (a KPI), and drill-down links produce sample evidence on demand. The auditor receives a curated population, samples from it, and verifies artifacts -- all without disrupting engineers. Refer to Chapter 58 Section 58.5.

13. A PCI-DSS 4.0 environment requires that all changes to the cardholder data environment (CDE) follow documented change control (Requirement 6.5.2). Which compliance-as-code pipeline design enforces this while generating audit evidence automatically?

  • A) Developers push directly to main and email the change summary
  • B) A protected main branch requires signed commits, a passing OPA policy check that validates the change affects only allowed resources, mandatory two-person review (including a CAB-delegated approver), automated ticket linkage (Jira CHG-XXXX referenced in the PR), and an immutable CI artifact containing the diff, approvers, timestamps, and policy evaluation results
  • C) Running terraform apply locally and saving the output to a personal folder
  • D) Granting push access only to the CTO
Answer

B -- Protected branch with signed commits and policy gates

PCI-DSS 6.5.2 requires documented change control including impact analysis, documented approval, functionality testing, and back-out procedures. A code pipeline satisfies this when every change is traceable (signed commits + ticket linkage), reviewed (two-person), policy-validated (OPA), and evidenced (CI artifact). The CI artifact becomes the auditor's sample -- each production change has a corresponding signed evidence bundle. This design also supports SOX 404 IT general controls (ITGCs). Refer to Chapter 58 Section 58.3.

14. A healthcare organization processes ePHI under HIPAA and also accepts payments subject to PCI-DSS 4.0. A single control states: "All access to databases containing ePHI or cardholder data must be logged, retained for 6 years, and reviewed quarterly." Which cross-mapping pitfall must the compliance automation team avoid?

  • A) Collecting evidence only once per year
  • B) Assuming that satisfying the stricter retention (6 years, HIPAA) automatically satisfies PCI-DSS audit log requirements, without verifying PCI-DSS 10.x specifics (e.g., integrity protections, time synchronization, specific events, and one-year online + additional offline retention requirements)
  • C) Encrypting logs at rest
  • D) Using a SIEM at all
Answer

B -- Stricter retention does not auto-satisfy other requirements

Multi-framework harmonization fails when teams assume "the longest number wins." PCI-DSS 10 has very specific requirements: log integrity (file integrity monitoring or centralized logging), time synchronization (NTP), specific auditable events, 12 months online with at least 3 months immediately accessible, plus additional retention. HIPAA's 6-year retention satisfies the duration but not the integrity, NTP, or event-specification requirements. The unified control must assert the intersection and superset of all applicable requirements, not just the longest clock. Refer to Chapter 58 Section 58.4.

15. An auditor requests evidence that 100% of production EC2 instances in account 203.0.113.0/24-connected VPCs are patched to within 30 days of a critical CVE release, covering the past 12 months. The GRC team must produce a defensible population, samples, and exception list within one business day. Which automated architecture makes this feasible?

  • A) Running a one-time ad-hoc query against live systems
  • B) A continuous control with (1) daily snapshot of the instance inventory from AWS Config and SSM Inventory into an immutable data lake partition by date, (2) daily import of Systems Manager Patch Manager compliance state joined to vulnerability scanner findings, (3) nightly job computing per-instance patch latency against NVD CVE publication timestamps, (4) exceptions tracked in a ticketed register with approver and expiry, and (5) a query interface that reproduces any historical point-in-time state on demand
  • C) Asking the SOC to manually count patched instances
  • D) Trusting the vulnerability scanner's live dashboard without history
Answer

B -- Continuous control with immutable historical data lake

The auditor's request implies a population reconstruction at any historical date, not just today. An immutable daily partition (Parquet in S3 with Object Lock, or a governed Delta/Iceberg table) allows "as-of" queries that reproduce the exact state on any prior day. Joining inventory with patch compliance and CVE publication dates yields per-instance latency metrics. The exception register explains every deviation with an auditable approval trail. This architecture turns a one-day panic into a 15-minute query, and it satisfies SOC 2 CC7.1, PCI-DSS 6.3.3, and NIST 800-53 SI-2 simultaneously. Refer to Chapter 58 Section 58.5.

Score Yourself

  • 13-15 correct: Expert. Ready to design and operate a full compliance automation program.
  • 10-12 correct: Strong. Review the sections for any missed hard questions and rerun.
  • 7-9 correct: Developing. Revisit Chapter 58 Sections 58.3 through 58.6 and attempt again.
  • Below 7: Re-read Chapter 58 -- Compliance Automation & Continuous Assurance end-to-end before retaking.

Related reading: