How It Works Pricing Blog Start Free Trial

How do I collect evidence from AWS for SOC 2?

March 6, 20262 min readSOC 2 Evidence Collection

AWS Evidence by SOC 2 Control

SOC 2 Control	AWS Service	Evidence to Capture
Access controls (CC6.1)	IAM	User list with policies, MFA status, password policy settings
Access controls (CC6.1)	IAM	Root account MFA enabled, access key rotation
Data protection (CC6.7)	S3	Bucket policies, public access block settings, encryption config
Data protection (CC6.7)	RDS/DynamoDB	Encryption at rest settings, backup configuration
Change management (CC8.1)	CloudTrail	Audit logging enabled for all regions
Monitoring (CC7.2)	CloudWatch	Alarms configured for critical metrics
Network security (CC6.6)	VPC	Security group rules, NACLs for production subnets

Step-by-Step Collection

IAM Evidence

Screenshot the IAM Users page showing all users
Screenshot MFA status for each user (should show "Enabled")
Screenshot the password policy settings
Screenshot key IAM policies (especially any custom policies)
Verify root account has MFA enabled and no access keys

S3 Evidence

Screenshot "Block Public Access" settings (should be enabled at account level)
For each bucket with sensitive data, screenshot encryption settings
Screenshot bucket policies for production buckets

Database Evidence

Screenshot RDS instance details showing encryption enabled
Screenshot backup configuration (automated backups, retention period)
Screenshot security group allowing access only from your application

CloudTrail and CloudWatch

Screenshot CloudTrail showing trails enabled in all regions
Screenshot CloudWatch alarms for critical events
Show a sample CloudTrail log entry demonstrating audit logging works

Tips

Only document services you use. Don't screenshot every AWS service — focus on what's in your SOC 2 scope.
Use AWS Config if available. AWS Config provides continuous compliance monitoring and can generate evidence reports.
Check for public exposure. Run the Trusted Advisor check or S3 access analyzer before the audit to catch publicly accessible resources.

Related Questions

SOC 2 Evidence Collection

How do I automate SOC 2 evidence collection?

Automate SOC 2 evidence collection by using tools that connect to your cloud providers and code repositories to pull configuration data, access logs, and control status automatically. GRC platforms handle infrastructure-level evidence. AI tools like Screenata additionally capture application-level evidence that GRC platforms miss.

SOC 2 Evidence Collection

How do I collect evidence from Vercel and GitHub for SOC 2?

Vercel and GitHub together provide strong SOC 2 evidence for deployment controls and change management. From GitHub, capture branch protection settings, PR reviews, and CI pipeline results. From Vercel, capture deployment logs, environment variable management, and preview deployment settings.

SOC 2 Evidence Collection

How do I collect MFA evidence for SOC 2?

SOC 2 MFA evidence proves that multi-factor authentication is enforced (not just available) across all critical systems. Capture screenshots of your identity provider showing MFA is required, and show user lists confirming all accounts have MFA active. Cover your SSO provider, cloud accounts, and code repositories.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →